FreeBSD-SA-11:09.pam_ssh

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:09.pam_ssh                                    Security Advisory
                                                          The FreeBSD Project

Topic:          pam_ssh improperly grants access when user account has
                unencrypted SSH private keys

Category:       contrib
Module:         pam
Announced:      2011-12-23
Credits:        Guy Helmer, Dag-Erling Smorgrav
Affects:        All supported versions of FreeBSD.
Corrected:      2011-12-11 20:40:23 UTC (RELENG_7, 7.4-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)
                2011-12-11 20:38:36 UTC (RELENG_8, 8.2-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)
                2011-12-11 16:57:27 UTC (RELENG_9, 9.0-STABLE)
                2011-12-11 17:32:37 UTC (RELENG_9_0, 9.0-RELEASE)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The PAM (Pluggable Authentication Modules) library provides a flexible
framework for user authentication and session setup / teardown.  It is
used not only in the base system, but also by a large number of
third-party applications.

Various authentication methods (UNIX, LDAP, Kerberos etc.) are
implemented in modules which are loaded and executed according to
predefined, named policies.  These policies are defined in
/etc/pam.conf, /etc/pam.d/<policy name>, /usr/local/etc/pam.conf or
/usr/local/etc/pam.d/<policy name>.

The base system includes a module named pam_ssh which, if enabled,
allows users to authenticate themselves by typing in the passphrase of
one of the SSH private keys which are stored in encrypted form in the
their .ssh directory.  Authentication is considered successful if at
least one of these keys could be decrypted using the provided
passphrase.

By default, the pam_ssh module rejects SSH private keys with no
passphrase.  A "nullok" option exists to allow these keys.

II.  Problem Description

The OpenSSL library call used to decrypt private keys ignores the
passphrase argument if the key is not encrypted.  Because the pam_ssh
module only checks whether the passphrase provided by the user is
null, users with unencrypted SSH private keys may successfully
authenticate themselves by providing a dummy passphrase.

III. Impact

If the pam_ssh module is enabled, attackers may be able to gain access
to user accounts which have unencrypted SSH private keys.

IV.  Workaround

No workaround is available, but systems that do not have the pam_ssh module
enabled are not vulnerable.  The pam_ssh module is not enabled in any
of the default policies provided in the base system.

The system administrator can use the following procedure to inspect all
PAM policy files to determine whether the pam_ssh module is enabled.
If the following command produces any output, the system may be
vulnerable:

# egrep -r ‘^[^#].*\<pam_ssh\>’ /etc/pam.* /usr/local/etc/pam.*

The following command will disable the pam_ssh module in all PAM
policies present in the system:

# sed -i ” -e ‘/^[^#].*pam_ssh/s/^/#/’ /etc/pam.conf /etc/pam.d/* \
    /usr/local/etc/pam.conf /usr/local/etc/pam.d/*

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to
the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security
branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:09/pam_ssh.patch
# fetch http://security.FreeBSD.org/patches/SA-11:09/pam_ssh.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libpam/modules/pam_ssh
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries.  On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
– ————————————————————————-
RELENG_7
  src/lib/libpam/modules/pam_ssh/pam_ssh.c                       1.44.2.2
RELENG_7_4
  src/UPDATING                                             1.507.2.36.2.7
  src/sys/conf/newvers.sh                                  1.72.2.18.2.10
  src/lib/libpam/modules/pam_ssh/pam_ssh.c                   1.44.2.1.8.2
RELENG_7_3
  src/UPDATING                                            1.507.2.34.2.11
  src/sys/conf/newvers.sh                                  1.72.2.16.2.13
  src/lib/libpam/modules/pam_ssh/pam_ssh.c                   1.44.2.1.6.2
RELENG_8
  src/lib/libpam/modules/pam_ssh/pam_ssh.c                       1.45.2.3
RELENG_8_2
  src/UPDATING                                             1.632.2.19.2.7
  src/sys/conf/newvers.sh                                  1.83.2.12.2.10
  src/lib/libpam/modules/pam_ssh/pam_ssh.c                   1.45.2.2.4.2
RELENG_8_1
  src/UPDATING                                            1.632.2.14.2.10
  src/sys/conf/newvers.sh                                  1.83.2.10.2.11
  src/lib/libpam/modules/pam_ssh/pam_ssh.c                   1.45.2.2.2.2
RELENG_9
  src/lib/libpam/modules/pam_ssh/pam_ssh.c                       1.47.2.2
RELENG_9_0
  src/lib/libpam/modules/pam_ssh/pam_ssh.c                   1.47.2.1.2.2
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r228421
releng/7.4/                                                       r228843
releng/7.3/                                                       r228843
stable/8/                                                         r228420
releng/8.2/                                                       r228843
releng/8.1/                                                       r228843
stable/9/                                                         r228410
releng/9.0/                                                       r228414
– ————————————————————————-

VII. References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:09.pam_ssh.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk70nOoACgkQFdaIBMps37JTSwCfS+bmWBxv5hote7Hrcl7VZjjk
vKMAn116aLADxmdYsyZ5WdSrfFTRt3Xm
=Y+ar
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-11:09.pam_ssh.asc

FreeBSD-SA-11:08.telnetd

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:08.telnetd                                    Security Advisory
                                                          The FreeBSD Project

Topic:          telnetd code execution vulnerability

Category:       core
Module:         contrib
Announced:      2011-12-23
Affects:        All supported versions of FreeBSD.
Corrected:      2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)
                2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)
                2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE)
CVE Name:       CVE-2011-4862

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The FreeBSD telnet daemon, telnetd(8), implements the server side of the
TELNET virtual terminal protocol.  It has been disabled by default in
FreeBSD since August 2001, and due to the lack of cryptographic security
in the TELNET protocol, it is strongly recommended that the SSH protocol
be used instead.  The FreeBSD telnet daemon can be enabled via the
/etc/inetd.conf configuration file and the inetd(8) daemon.

The TELNET protocol has a mechanism for encryption of the data stream
(but it is not cryptographically strong and should not be relied upon
in any security-critical applications).

II.  Problem Description

When an encryption key is supplied via the TELNET protocol, its length
is not validated before the key is copied into a fixed-size buffer.

III. Impact

An attacker who can connect to the telnetd daemon can execute arbitrary
code with the privileges of the daemon (which is usually the "root"
superuser).

IV.  Workaround

No workaround is available, but systems not running the telnet daemon
are not vulnerable.

Note that the telnet daemon is usually run via inetd, and consequently
will not show up in a process listing unless a connection is currently
active; to determine if it is enabled, run

$ ps ax | grep telnetd | grep -v grep
$ grep telnetd /etc/inetd.conf | grep -vE ‘^#’

If any output is produced, your system may be vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2, and 8.1  systems.

a) Download the patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch
# fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libtelnet
# make obj && make depend && make && make install
# cd /usr/src/libexec/telnetd
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
– ————————————————————————-
RELENG_7
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.2.24.1
  src/contrib/telnet/libtelnet/encrypt.c                         1.9.24.1
RELENG_7_4
  src/UPDATING                                             1.507.2.36.2.7
  src/sys/conf/newvers.sh                                  1.72.2.18.2.10
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.2.38.1
  src/contrib/telnet/libtelnet/encrypt.c                         1.9.40.2
RELENG_7_3
  src/UPDATING                                            1.507.2.34.2.11
  src/sys/conf/newvers.sh                                  1.72.2.16.2.13
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.2.36.1
  src/contrib/telnet/libtelnet/encrypt.c                         1.9.38.2
RELENG_8
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c          1.1.1.3.2.1
  src/contrib/telnet/libtelnet/encrypt.c                         1.9.36.2
RELENG_8_2
  src/UPDATING                                             1.632.2.19.2.7
  src/sys/conf/newvers.sh                                  1.83.2.12.2.10
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c          1.1.1.3.8.1
  src/contrib/telnet/libtelnet/encrypt.c                     1.9.36.1.6.2
RELENG_8_1
  src/UPDATING                                            1.632.2.14.2.10
  src/sys/conf/newvers.sh                                  1.83.2.10.2.11
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c          1.1.1.3.6.1
  src/contrib/telnet/libtelnet/encrypt.c                     1.9.36.1.4.2
RELENG_9
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.3.10.1
  src/contrib/telnet/libtelnet/encrypt.c                         1.9.42.2
RELENG_9_0
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.3.12.1
  src/contrib/telnet/libtelnet/encrypt.c                     1.9.42.1.2.2
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r228843
releng/7.4/                                                       r228843
releng/7.3/                                                       r228843
stable/8/                                                         r228843
releng/8.2/                                                       r228843
releng/8.1/                                                       r228843
stable/9/                                                         r228843
releng/9.0/                                                       r228843
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk70nOoACgkQFdaIBMps37IYcwCfXn5aQTfQDe/AnS31JBg+BB1m
HJMAmgOE5pUKTlFqLw5UBouMNFfUmu2u
=dcyj
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc

FreeBSD-SA-11:07.chroot

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:07.chroot                                     Security Advisory
                                                          The FreeBSD Project

Topic:          Code execution via chrooted ftpd

Category:       core
Module:         libc
Announced:      2011-12-23
Affects:        All supported versions of FreeBSD.
Corrected:      2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)
                2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)
                2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

Chroot is an operation that changes the apparent root directory for the
current process and its children.  The chroot(2) system call is widely
used in many applications as a measure of limiting a process’s access to
the file system, as part of implementing privilege separation.

The nsdispatch(3) API implementation has a feature to reload its
configuration on demand.  This feature may also load shared libraries
and run code provided by the library when requested by the configuration
file.

II.  Problem Description

The nsdispatch(3) API has no mechanism to alert it to whether it is
operating within a chroot environment in which the standard paths for
configuration files and shared libraries may be untrustworthy.

The FreeBSD ftpd(8) daemon can be configured to use chroot(2), and
also uses the nsdispatch(3) API.

III. Impact

If ftpd is configured to place a user in a chroot environment, then an
attacker who can log in as that user may be able to run arbitrary code
with elevated ("root") privileges.

IV.  Workaround

Don’t use ftpd with the chroot option.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to
the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security
branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.3 and 7.4]
# fetch http://security.FreeBSD.org/patches/SA-11:07/chroot7.patch
# fetch http://security.FreeBSD.org/patches/SA-11:07/chroot7.patch.asc

[FreeBSD 8.1 and 8.2]
# fetch http://security.FreeBSD.org/patches/SA-11:07/chroot8.patch
# fetch http://security.FreeBSD.org/patches/SA-11:07/chroot8.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/handbook/makeworld.html> and reboot the
system.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

4) This update adds a new API, __FreeBSD_libc_enter_restricted_mode()
to the C library, which completely disables loading of shared libraries
upon return.  Applications doing chroot(2) jails need to be updated
to call this API explicitly right after the chroot(2) operation as a
safety measure.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
– ————————————————————————-
RELENG_7
  src/include/unistd.h                                           1.80.2.4
  src/lib/libc/include/libc_private.h                            1.17.2.4
  src/lib/libc/Versions.def                                       1.3.2.3
  src/lib/libc/net/nsdispatch.c                                  1.14.2.3
  src/lib/libc/gen/Symbol.map                                     1.6.2.7
  src/lib/libc/gen/Makefile.inc                                 1.128.2.6
  src/lib/libc/gen/libc_dlopen.c                                  1.2.2.2
  src/libexec/ftpd/popen.c                                      1.26.10.2
  src/libexec/ftpd/ftpd.c                                       1.212.2.2
RELENG_7_4
  src/UPDATING                                             1.507.2.36.2.7
  src/sys/conf/newvers.sh                                  1.72.2.18.2.10
  src/include/unistd.h                                       1.80.2.3.4.2
  src/lib/libc/include/libc_private.h                        1.17.2.3.4.2
  src/lib/libc/Versions.def                                   1.3.2.2.4.2
  src/lib/libc/net/nsdispatch.c                              1.14.2.2.2.2
  src/lib/libc/gen/Symbol.map                                 1.6.2.6.4.2
  src/lib/libc/gen/Makefile.inc                             1.128.2.5.4.2
  src/lib/libc/gen/libc_dlopen.c                                  1.2.4.2
  src/libexec/ftpd/popen.c                                  1.26.10.1.2.2
  src/libexec/ftpd/ftpd.c                                   1.212.2.1.6.2
RELENG_7_3
  src/UPDATING                                            1.507.2.34.2.11
  src/sys/conf/newvers.sh                                  1.72.2.16.2.13
  src/include/unistd.h                                       1.80.2.3.2.2
  src/lib/libc/include/libc_private.h                        1.17.2.3.2.2
  src/lib/libc/Versions.def                                   1.3.2.2.2.2
  src/lib/libc/net/nsdispatch.c                              1.14.2.1.6.2
  src/lib/libc/gen/Symbol.map                                 1.6.2.6.2.2
  src/lib/libc/gen/Makefile.inc                             1.128.2.5.2.2
  src/lib/libc/gen/libc_dlopen.c                                  1.1.2.1
  src/libexec/ftpd/popen.c                                      1.26.24.2
  src/libexec/ftpd/ftpd.c                                   1.212.2.1.4.2
RELENG_8
  src/include/unistd.h                                           1.95.2.2
  src/lib/libc/include/libc_private.h                            1.20.2.3
  src/lib/libc/Versions.def                                       1.8.2.3
  src/lib/libc/net/nsdispatch.c                                  1.18.2.3
  src/lib/libc/gen/Symbol.map                                    1.21.2.6
  src/lib/libc/gen/Makefile.inc                                 1.144.2.7
  src/lib/libc/gen/libc_dlopen.c                                  1.1.4.2
  src/libexec/ftpd/popen.c                                      1.26.22.3
  src/libexec/ftpd/ftpd.c                                       1.214.2.3
RELENG_8_2
  src/UPDATING                                             1.632.2.19.2.7
  src/sys/conf/newvers.sh                                  1.83.2.12.2.10
  src/include/unistd.h                                       1.95.2.1.6.2
  src/lib/libc/include/libc_private.h                        1.20.2.2.4.2
  src/lib/libc/Versions.def                                   1.8.2.2.4.2
  src/lib/libc/net/nsdispatch.c                              1.18.2.2.2.2
  src/lib/libc/gen/Symbol.map                                1.21.2.5.2.2
  src/lib/libc/gen/Makefile.inc                             1.144.2.6.2.2
  src/lib/libc/gen/libc_dlopen.c                                  1.2.8.2
  src/libexec/ftpd/popen.c                                  1.26.22.2.4.2
  src/libexec/ftpd/ftpd.c                                   1.214.2.1.6.2
RELENG_8_1
  src/UPDATING                                            1.632.2.14.2.10
  src/sys/conf/newvers.sh                                  1.83.2.10.2.11
  src/include/unistd.h                                       1.95.2.1.4.2
  src/lib/libc/include/libc_private.h                        1.20.2.2.2.2
  src/lib/libc/Versions.def                                   1.8.2.2.2.2
  src/lib/libc/net/nsdispatch.c                              1.18.2.1.4.2
  src/lib/libc/gen/Symbol.map                                1.21.2.3.2.2
  src/lib/libc/gen/Makefile.inc                             1.144.2.4.2.2
  src/lib/libc/gen/libc_dlopen.c                                 1.2.10.2
  src/libexec/ftpd/popen.c                                  1.26.22.2.2.2
  src/libexec/ftpd/ftpd.c                                   1.214.2.1.4.2
RELENG_9
  src/include/unistd.h                                          1.101.2.2
  src/lib/libc/include/libc_private.h                            1.26.2.2
  src/lib/libc/Versions.def                                       1.9.2.2
  src/lib/libc/net/nsdispatch.c                                  1.19.2.2
  src/lib/libc/gen/Symbol.map                                    1.38.2.2
  src/lib/libc/gen/Makefile.inc                                 1.159.2.2
  src/lib/libc/gen/libc_dlopen.c                                  1.1.6.2
  src/lib/libc/iconv/citrus_module.c                              1.1.2.2
  src/libexec/ftpd/popen.c                                       1.27.2.2
  src/libexec/ftpd/ftpd.c                                       1.220.2.2
RELENG_9_0
  src/include/unistd.h                                      1.101.2.1.2.2
  src/lib/libc/include/libc_private.h                        1.26.2.1.2.2
  src/lib/libc/Versions.def                                   1.9.2.1.2.2
  src/lib/libc/net/nsdispatch.c                              1.19.2.1.2.2
  src/lib/libc/gen/Symbol.map                                1.38.2.1.2.2
  src/lib/libc/gen/Makefile.inc                             1.159.2.1.2.2
  src/lib/libc/gen/libc_dlopen.c                                  1.2.6.2
  src/lib/libc/iconv/citrus_module.c                          1.1.2.1.2.2
  src/libexec/ftpd/popen.c                                   1.27.2.1.2.2
  src/libexec/ftpd/ftpd.c                                   1.220.2.1.2.2
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r228843
releng/7.4/                                                       r228843
releng/7.3/                                                       r228843
stable/8/                                                         r228843
releng/8.2/                                                       r228843
releng/8.1/                                                       r228843
stable/9/                                                         r228843
releng/9.0/                                                       r228843
– ————————————————————————-

VII. References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:07.chroot.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk70nOoACgkQFdaIBMps37ILmgCgjVxRH+NsPpnXOVdwWmuxlSDp
h9wAniE0tokORcqQlFJim5Pc1Z65ybwl
=45yE
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-11:07.chroot.asc

FreeBSD-SA-11:06.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:06.bind                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Remote packet Denial of Service against named(8) servers

Category:       contrib
Module:         bind
Announced:      2011-12-23
Affects:        All supported versions of FreeBSD.
Corrected:      2011-11-17 01:10:16 UTC (RELENG_7, 7.4-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)
                2011-11-17 00:36:10 UTC (RELENG_8, 8.2-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)
                2011-12-01 21:13:41 UTC (RELENG_9, 9.0-STABLE)
                2011-12-01 21:17:59 UTC (RELENG_9_0, 9.0-RC3)
                2011-11-16 23:41:13 UTC (ports tree)
CVE Name:       CVE-2011-4313

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

II.  Problem Description

A remote attacker could cause the BIND resolver to cache an invalid
record, which could cause the BIND daemon to crash when that record
is being queried.

III. Impact

An attacker that is able to send an specifically crafted response to the
BIND daemon can cause it to crash, resulting in a denial of service.

Note that due to the nature of this vulnerability, the attacker does
not necessarily have to have query access to the victim server.  The
vulnerability can be triggered by tricking legitimate clients, for
instance spam filtering systems or an end user browser, which can be
made to the query on their behalf.

IV.  Workaround

No workaround is available, but systems not running the BIND resolving
name server are not affected.

Servers that are running in authoritative-only mode appear not to be
affected by this vulnerability.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.3-RELEASE and 7.4-RELEASE]
# fetch http://security.FreeBSD.org/patches/SA-11:06/bind7.patch
# fetch http://security.FreeBSD.org/patches/SA-11:06/bind7.patch.asc

[FreeBSD 8.1-RELEASE and 8.2-RELEASE]
# fetch http://security.FreeBSD.org/patches/SA-11:06/bind8.patch
# fetch http://security.FreeBSD.org/patches/SA-11:06/bind8.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind/
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

4) Install and run BIND from the Ports Collection after the correction
date.  The following versions and newer versions of BIND installed from
the Ports Collection already have the mitigation measure:

        bind96-9.6.3.1.ESV.R5.1
        bind97-9.7.4.1
        bind98-9.8.1.1

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
– ————————————————————————-
RELENG_7
  src/contrib/bind9/lib/dns/rbtdb.c                           1.1.1.4.2.9
  src/contrib/bind9/bin/named/query.c                         1.1.1.6.2.8
RELENG_7_4
  src/UPDATING                                             1.507.2.36.2.7
  src/sys/conf/newvers.sh                                  1.72.2.18.2.10
  src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.4.2.6.2.1
  src/contrib/bind9/bin/named/query.c                     1.1.1.6.2.6.2.1
RELENG_7_3
  src/UPDATING                                            1.507.2.34.2.11
  src/sys/conf/newvers.sh                                  1.72.2.16.2.13
  src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.4.2.3.2.2
  src/contrib/bind9/bin/named/query.c                     1.1.1.6.2.3.2.2
RELENG_8
  src/contrib/bind9/lib/dns/rbtdb.c                               1.3.2.9
  src/contrib/bind9/bin/named/query.c                             1.3.2.8
RELENG_8_2
  src/UPDATING                                             1.632.2.19.2.7
  src/sys/conf/newvers.sh                                  1.83.2.12.2.10
  src/contrib/bind9/lib/dns/rbtdb.c                           1.3.2.5.2.1
  src/contrib/bind9/bin/named/query.c                         1.3.2.5.2.1
RELENG_8_1
  src/UPDATING                                            1.632.2.14.2.10
  src/sys/conf/newvers.sh                                  1.83.2.10.2.11
  src/contrib/bind9/lib/dns/rbtdb.c                           1.3.2.3.2.1
  src/contrib/bind9/bin/named/query.c                         1.3.2.3.2.1
RELENG_9
  src/contrib/bind9/lib/dns/rbtdb.c                              1.13.2.1
  src/contrib/bind9/bin/named/query.c                            1.11.2.1
RELENG_9_0
  src/contrib/bind9/lib/dns/rbtdb.c                              1.13.4.1
  src/contrib/bind9/bin/named/query.c                            1.11.4.1
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r227603
releng/7.4/                                                       r228843
releng/7.3/                                                       r228843
stable/8/                                                         r227599
releng/8.2/                                                       r228843
releng/8.1/                                                       r228843
stable/9/                                                         r228189
releng/9.0/                                                       r228190
– ————————————————————————-

VII. References

https://www.isc.org/software/bind/advisories/cve-2011-4313

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:06.bind.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk70nOoACgkQFdaIBMps37K18wCeLYPkREXJsMXYdzt+guRFcPZR
VY4AoII3kmCzRX/gYRmPW7lwGqWIgwlM
=wMSJ
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-11:06.bind.asc

FreeBSD-SA-11:05.unix

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:05.unix                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Buffer overflow in handling of UNIX socket addresses

Category:       core
Module:         kern
Announced:      2011-09-28
Credits:        Mateusz Guzik
Affects:        All supported versions of FreeBSD.
Corrected:      2011-09-28 08:47:17 UTC (RELENG_7, 7.4-STABLE)
                2011-09-28 08:47:17 UTC (RELENG_7_4, 7.4-RELEASE-p3)
                2011-09-28 08:47:17 UTC (RELENG_7_3, 7.3-RELEASE-p7)
                2011-09-28 08:47:17 UTC (RELENG_8, 8.2-STABLE)
                2011-09-28 08:47:17 UTC (RELENG_8_2, 8.2-RELEASE-p3)
                2011-09-28 08:47:17 UTC (RELENG_8_1, 8.1-RELEASE-p5)
                2011-09-28 08:47:17 UTC (RELENG_9, 9.0-RC1)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

UNIX-domain sockets, also known as "local" sockets, are a mechanism for
interprocess communication.  They are similar to Internet sockets (and
utilize the same system calls) but instead of relying on IP addresses
and port numbers, UNIX-domain sockets have addresses in the local file
system address space.

II.  Problem Description

When a UNIX-domain socket is attached to a location using the bind(2)
system call, the length of the provided path is not validated.  Later,
when this address was returned via other system calls, it is copied into
a fixed-length buffer.

III. Impact

A local user can cause the FreeBSD kernel to panic.  It may also be
possible to execute code with elevated privileges ("gain root"), escape
from a jail, or to bypass security mechanisms in other ways.

IV.  Workaround

No workaround is available, but systems without untrusted local users
are not vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to
the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security
branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patch has been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:05/unix.patch
# fetch http://security.FreeBSD.org/patches/SA-11:05/unix.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
– ————————————————————————-
RELENG_7
  src/sys/kern/uipc_usrreq.c                                   1.206.2.13
RELENG_7_4
  src/UPDATING                                             1.507.2.36.2.5
  src/sys/conf/newvers.sh                                   1.72.2.18.2.8
  src/sys/kern/uipc_usrreq.c                               1.206.2.11.4.2
RELENG_7_3
  src/UPDATING                                             1.507.2.34.2.9
  src/sys/conf/newvers.sh                                  1.72.2.16.2.11
  src/sys/kern/uipc_usrreq.c                               1.206.2.11.2.2
RELENG_8
  src/sys/kern/uipc_usrreq.c                                    1.233.2.6
RELENG_8_2
  src/UPDATING                                             1.632.2.19.2.5
  src/sys/conf/newvers.sh                                   1.83.2.12.2.8
  src/sys/kern/uipc_usrreq.c                                1.233.2.2.2.2
RELENG_8_1
  src/UPDATING                                             1.632.2.14.2.8
  src/sys/conf/newvers.sh                                   1.83.2.10.2.9
  src/sys/kern/uipc_usrreq.c                                1.233.2.1.4.2
RELENG_9
  src/sys/kern/uipc_usrreq.c                                    1.244.2.2
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r225827
releng/7.4/                                                       r225827
releng/7.3/                                                       r225827
stable/8/                                                         r225827
releng/8.2/                                                       r225827
releng/8.1/                                                       r225827
stable/9/                                                         r225827
– ————————————————————————-

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:05.unix.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk6C4nUACgkQFdaIBMps37J5lwCgnq8BUBWckn0ZKMcsK5IDKMDV
ocgAn0PwSvoKxjGY4dgHlM1M6xVM8OWz
=AO92
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc

FreeBSD-SA-11:04.compress.asc

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:04.compress                                   Security Advisory
                                                          The FreeBSD Project

Topic:          Errors handling corrupt compress file in compress(1)
                and gzip(1)

Category:       core
Module:         compress
Announced:      2011-09-28
Credits:        Tomas Hoger, Joerg Sonnenberger
Affects:        All supported versions of FreeBSD.
Corrected:      2011-09-28 08:47:17 UTC (RELENG_7, 7.4-STABLE)
                2011-09-28 08:47:17 UTC (RELENG_7_4, 7.4-RELEASE-p3)
                2011-09-28 08:47:17 UTC (RELENG_7_3, 7.3-RELEASE-p7)
                2011-09-28 08:47:17 UTC (RELENG_8, 8.2-STABLE)
                2011-09-28 08:47:17 UTC (RELENG_8_2, 8.2-RELEASE-p3)
                2011-09-28 08:47:17 UTC (RELENG_8_1, 8.1-RELEASE-p5)
                2011-09-28 08:47:17 UTC (RELENG_9, 9.0-RC1)
CVE Name:       CVE-2011-2895

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The compress utility reduces the size of files using adaptive Lempel-Ziv
coding, or LZW coding, a lossless data compression algorithm.

Both compress(1) and gzip(1) uses code derived from 4.3BSD compress(1).

II.  Problem Description

The code used to decompress a file created by compress(1) does not do
sufficient boundary checks on compressed code words, allowing reference
beyond the decompression table, which may result in a stack overflow or
an infinite loop when the decompressor encounters a corrupted file.

III. Impact

An attacker who can cause a corrupt archive of his choice to be parsed
by uncompress(1) or gunzip(1), can cause these utilities to enter an
infinite loop, to core dump, or possibly to execute arbitrary code
provided by the attacker.

IV.  Workaround

No workaround is available, but systems not handling adaptive Lempel-Ziv
compressed files (.Z) from untrusted source are not vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to
the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security
branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:04/compress.patch
# fetch http://security.FreeBSD.org/patches/SA-11:04/compress.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.bin/compress
# make obj && make depend && make && make install
# cd /usr/src/usr.bin/gzip
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
– ————————————————————————-
RELENG_7
  src/usr.bin/compress/zopen.c                                  1.12.10.1
  src/usr.bin/gzip/zuncompress.c                                  1.1.4.3
RELENG_7_4
  src/UPDATING                                             1.507.2.36.2.5
  src/sys/conf/newvers.sh                                   1.72.2.18.2.8
  src/usr.bin/compress/zopen.c                                  1.12.26.2
  src/usr.bin/gzip/zuncompress.c                              1.1.4.1.4.2
RELENG_7_3
  src/UPDATING                                             1.507.2.34.2.9
  src/sys/conf/newvers.sh                                  1.72.2.16.2.11
  src/usr.bin/compress/zopen.c                                  1.12.24.2
  src/usr.bin/gzip/zuncompress.c                              1.1.4.1.2.2
RELENG_8
  src/usr.bin/compress/zopen.c                                  1.12.22.2
  src/usr.bin/gzip/zuncompress.c                                  1.2.2.3
RELENG_8_2
  src/UPDATING                                             1.632.2.19.2.5
  src/sys/conf/newvers.sh                                   1.83.2.12.2.8
  src/usr.bin/compress/zopen.c                              1.12.22.1.6.2
  src/usr.bin/gzip/zuncompress.c                              1.2.2.1.6.2
RELENG_8_1
  src/UPDATING                                             1.632.2.14.2.8
  src/sys/conf/newvers.sh                                   1.83.2.10.2.9
  src/usr.bin/compress/zopen.c                              1.12.22.1.4.2
  src/usr.bin/gzip/zuncompress.c                              1.2.2.1.4.2
RELENG_9
  src/usr.bin/compress/zopen.c                                   1.16.2.2
  src/usr.bin/gzip/zuncompress.c                                  1.4.2.2
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r225827
releng/7.4/                                                       r225827
releng/7.3/                                                       r225827
stable/8/                                                         r225827
releng/8.2/                                                       r225827
releng/8.1/                                                       r225827
stable/9/                                                         r225827
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2895

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:04.compress.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk6C4nIACgkQFdaIBMps37LymQCgmW2YYsSqvjxhiuHXt0bCcCgd
K5YAnA0/Z8++C6TKtUJ5Bzogd80a9OEd
=I+0k
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-11:04.compress.asc

FreeBSD-SA-11:03.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:03.bind Security Advisory
The FreeBSD Project

Topic: Remote packet Denial of Service against named(8) servers

Category: contrib
Module: bind
Announced: 2011-09-28
Credits: Roy Arends
Affects: 8.2-STABLE after 2011-05-28 and prior to the correction date
Corrected: 2011-07-06 00:50:54 UTC (RELENG_8, 8.2-STABLE)
CVE Name: CVE-2011-2464

Note: This advisory concerns a vulnerability which existed only in
the FreeBSD 8-STABLE branch and was fixed over two months prior to the
date of this advisory.

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

II. Problem Description

A logic error in the BIND code causes the BIND daemon to accept bogus
data, which could cause the daemon to crash.

III. Impact

An attacker able to send traffic to the BIND daemon can cause it to
crash, resulting in a denial of service.

IV. Workaround

No workaround is available, but systems not running the BIND name server
are not affected.

V. Solution

Upgrade your vulnerable system to 8-STABLE dated after the correction
date.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
– ————————————————————————-
RELENG_8
src/contrib/bind9/lib/dns/message.c 1.3.2.3
– ————————————————————————-

Subversion:

Branch/path
Revision
– ————————————————————————-
stable/8/ r223815
– ————————————————————————-

VII. References

http://www.isc.org/software/bind/advisories/cve-2011-2464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:03.bind.asc —–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk6C4CYACgkQFdaIBMps37LwQgCeIDVGsCWOLoVdmWogOOaPC1UG
9G8AoJPlRbNmkEWMg7uoOYrvjWlRRdlK
=aUvD
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-11:03.bind.asc

FreeBSD-SA-11:02.bind

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-11:02.bind                                       Security Advisory
                                                          The FreeBSD Project

Topic:          BIND remote DoS with large RRSIG RRsets and negative caching

Category:       contrib
Module:         bind
Announced:      2011-05-28
Credits:        Frank Kloeker, Michael Sinatra.
Affects:        All supported versions of FreeBSD.
Corrected:      2011-05-28 00:58:19 UTC (RELENG_7, 7.4-STABLE)
                2011-05-28 08:44:39 UTC (RELENG_7_3, 7.3-RELEASE-p6)
                2011-05-28 08:44:39 UTC (RELENG_7_4, 7.4-RELEASE-p2)
                2011-05-28 00:33:06 UTC (RELENG_8, 8.2-STABLE)
                2011-05-28 08:44:39 UTC (RELENG_8_1, 8.1-RELEASE-p4)
                2011-05-28 08:44:39 UTC (RELENG_8_2, 8.2-RELEASE-p2)
CVE Name:       CVE-2011-1910

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.

II.  Problem Description

Very large RRSIG RRsets included in a negative response can trigger
an assertion failure that will crash named(8) due to an off-by-one error
in a buffer size check.

III. Impact

If named(8) is being used as a recursive resolver, an attacker who
controls a DNS zone being resolved can cause named(8) to crash,
resulting in a denial of (DNS resolving) service.

DNSSEC does not need to be enabled on the resolver for it to be
vulnerable.

IV.  Workaround

No workaround is available, but systems not running the BIND DNS server
or using it exclusively as an authoritative name server (i.e., not as a
caching resolver) are not vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE,
or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD
7.3, 7.4, 8.1 and 8.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:02/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-11:02/bind.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart

3) To update your vulnerable system via a binary patch:

Systems running 7.3-RELEASE, 7.4-RELEASE, 8.1-RELEASE, or 8.2-RELEASE
on the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_7
  src/contrib/bind9/lib/dns/ncache.c                          1.1.1.2.2.3
RELENG_7_4
  src/UPDATING                                             1.507.2.36.2.4
  src/sys/conf/newvers.sh                                   1.72.2.18.2.7
  src/contrib/bind9/lib/dns/ncache.c                      1.1.1.2.2.2.2.1
RELENG_7_3
  src/UPDATING                                             1.507.2.34.2.8
  src/sys/conf/newvers.sh                                  1.72.2.16.2.10
  src/contrib/bind9/lib/dns/ncache.c                         1.1.1.2.10.1
RELENG_8
  src/contrib/bind9/lib/dns/ncache.c                              1.2.2.4
RELENG_8_2
  src/UPDATING                                             1.632.2.19.2.4
  src/sys/conf/newvers.sh                                   1.83.2.12.2.7
  src/contrib/bind9/lib/dns/ncache.c                          1.2.2.2.2.1
RELENG_8_1
  src/UPDATING                                             1.632.2.14.2.7
  src/sys/conf/newvers.sh                                   1.83.2.10.2.8
  src/contrib/bind9/lib/dns/ncache.c                          1.2.2.1.2.1
- -------------------------------------------------------------------------

Subversion:

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/7/                                                         r222399
releng/7.4/                                                       r222416
releng/7.3/                                                       r222416
stable/8/                                                         r222396
releng/8.2/                                                       r222416
releng/8.1/                                                       r222416
head/                                                             r222395
- -------------------------------------------------------------------------

VII. References

http://www.isc.org/software/bind/advisories/cve-2011-1910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:02.bind.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9

iEYEARECAAYFAk3gvuQACgkQFdaIBMps37L2iACgizZK4QS3rOaY0x7evMuyWIop
OaoAn3Pku/9HCSUULC2xurSnGU3AtJcz
=aG4/
-----END PGP SIGNATURE-----

 

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-11:02.bind.asc

FreeBSD-SA-11:01.mountd

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:01.mountd                                     Security Advisory
                                                          The FreeBSD Project

Topic:          Network ACL mishandling in mountd(8)

Category:       core
Module:         mountd
Announced:      2011-04-20
Credits:        Ruslan Ermilov
Affects:        All supported versions of FreeBSD
Corrected:      2011-04-20 21:00:24 UTC (RELENG_7, 7.4-STABLE)
                2011-04-20 21:00:24 UTC (RELENG_7_3, 7.3-RELEASE-p5)
                2011-04-20 21:00:24 UTC (RELENG_7_4, 7.4-RELEASE-p1)
                2011-04-20 21:00:24 UTC (RELENG_8, 8.2-STABLE)
                2011-04-20 21:00:24 UTC (RELENG_8_1, 8.1-RELEASE-p3)
                2011-04-20 21:00:24 UTC (RELENG_8_2, 8.2-RELEASE-p1)
CVE Name:       CVE-2011-1739

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The mountd(8) daemon services NFS mount requests from other client
machines.  When mountd is started, it loads the export host addresses
and options into the kernel using the mount(2) system call.

II.  Problem Description

While parsing the exports(5) table, a network mask in the form of
"-network=netname/prefixlength" results in an incorrect network mask
being computed if the prefix length is not a multiple of 8.

For example, specifying the ACL for an export as "-network 192.0.2.0/23"
would result in a netmask of 255.255.127.0 being used instead of the
correct netmask of 255.255.254.0.

III. Impact

When using a prefix length which is not multiple of 8, access would be
granted to the wrong client systems.

IV.  Workaround

For IPv4-only systems, using the -netmask option instead of CIDR notion
for -network circumvents this bug.

A firewall such as pf(4) can (and probably should) be used to restrict
access to the NFS server.

Systems not providing NFS service, or using a prefix length which is a
multiple of 8 in all ACLs, are not affected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_2, RELENG_8_1, RELENG_7_4, RELENG_7_3 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.3, 7.4,
8.1 and 8.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:01/mountd.patch
# fetch http://security.FreeBSD.org/patches/SA-11:01/mountd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/mountd
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.3-RELEASE, 7.4-RELEASE, 8.1-RELEASE or 8.2-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
– ————————————————————————-
RELENG_7
  src/usr.sbin/mountd/mountd.c                                   1.94.2.3
RELENG_7_4
  src/UPDATING                                             1.507.2.36.2.3
  src/sys/conf/newvers.sh                                   1.72.2.18.2.6
  src/usr.sbin/mountd/mountd.c                               1.94.2.2.8.2
RELENG_7_3
  src/UPDATING                                             1.507.2.34.2.7
  src/sys/conf/newvers.sh                                   1.72.2.16.2.9
  src/usr.sbin/mountd/mountd.c                               1.94.2.2.6.2
RELENG_8
  src/usr.sbin/mountd/mountd.c                                  1.105.2.3
RELENG_8_2
  src/UPDATING                                             1.632.2.19.2.3
  src/sys/conf/newvers.sh                                   1.83.2.12.2.6
  src/usr.sbin/mountd/mountd.c                              1.105.2.2.4.2
RELENG_8_1
  src/UPDATING                                             1.632.2.14.2.6
  src/sys/conf/newvers.sh                                   1.83.2.10.2.7
  src/usr.sbin/mountd/mountd.c                              1.105.2.2.2.2
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r220901
releng/7.3/                                                       r220901
releng/7.4/                                                       r220901
stable/8/                                                         r220901
releng/8.1/                                                       r220901
releng/8.2/                                                       r220901
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1739

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:01.mountd.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.11 (FreeBSD)

iEYEARECAAYFAk2vSjwACgkQFdaIBMps37J91ACfbj6PbStDVBISUx/jC8/3n0uS
+oUAnj9TdPvwezLnrej/XMahWlHQHK1N
=Hv1Y
—–END PGP SIGNATURE—–

ZFS v13 在FreeBSD 8.0 rc2中的实践

ZFS v13 在FreeBSD 8.0 rc2中的实践

属主:ZoomQuiet

参考:存储的规划[URL:http://www.bsdart.org/archives/20101226/518.html]

概述

本文包含 FreeBSD 8.0rc2 环境中一个 raidz-2+hot spares 配置和测试实例,为其它有意使用 ZFS 代替raid* 来保卫数据安全的SA, 在进行硬盘和 zpool 规划时,提供了一个足够友好的参考。

条件

* OS: FreeBSD svnmain.s.kingsoft.net 8.0-RC1 FreeBSD 8.0-RC1 #0: Thu Sep 17 18:50:57 UTC 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

目标

在足够的硬盘数量支持下:

1,尽可能的使用多的空间
2,运用双奇偶检验来确保数据写安全
3,附加一个热备硬盘来冗灾数据盘的坏损
4,系统分区坏损时也可以立即恢复

硬件

Dell? PowerEdge? 2900 III
6x500G SAS 硬盘
6G 内存

规划

ZFS v13 在FreeBSD 8.0 rc2中的实践

意图

6x300G SAS 空间划分相同=>4G+496G 两部分

    6x4G 空间
    >>3组作系统空间,进行相同的分区,并定期进行 dd 备份
    >>3组作swap 给系统提供 16G 缓存,刚好是内存的两倍
    6x496G 空间
    >>1.5T 可用(3+2) RAID-Z2+1 hot spare

部署

简要说明在部署过程中的关键操作和思路

BIOS

    因为,下单时考虑不周,主机带了个绕不过去的 RAID 卡
    所以,必须先在 BIOS 中使用 raid0 策略对所有硬盘进行配置,否则 FreeBSD 安装程序无法加载硬盘

FreeBSD

* 使用 sysinstall 标准的进行 BSD 安装 * 注意对预备进行系统冗灾备份的分区要进行大小一致的划分(bsdlabel) * 每个分区的大小是精心测算过的:

1,/ → ??Mb 因为
2,/tmp → ??Mb 因为
3,/var → ??Mb 因为
4,/usr → ??Mb 因为

* 这样确保系统在4G 空间中就可以完全运行起来!

geom label

因为将来各个硬盘都有可能先杯具,所以,不能依赖盘序会孬 BIOS 自动调整的 bsd卷标
使用 geom label 进行固化!

##重启系统,在 loader 提示符下键入 4 启动到单用户模式
# glabel label rootfs /dev/mfid0s1a
GEOM_LABEL: Label for provider /dev/mfid0s1a is label/rootfs
# glabel label var /dev/mfid0s1d
GEOM_LABEL: Label for provider /dev/mfid0s1d is label/var
# glabel label usr /dev/mfid0s1f
GEOM_LABEL: Label for provider /dev/mfid0s1f is label/usr
# glabel label tmp /dev/mfid0s1e
GEOM_LABEL: Label for provider /dev/mfid0s1e is label/tmp
# glabel label swap /dev/mfid0s1b
GEOM_LABEL: Label for provider /dev/mfid0s1b is label/swap
# glabel label disk0 /dev/mfid0s2
GEOM_LABEL: Label for provider /dev/mfid0s2 is label/disk0

## 根据规划对所有硬盘的所有分区进行固定卷标
# cat /etc/fstab
… 类似
# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/label/swap         none            swap    sw              0       0
/dev/label/rootfs       /               ufs     rw              1       1
/dev/label/tmp          /tmp            ufs     rw              2       2
/dev/label/usr          /usr            ufs     rw              2       2
/dev/label/var          /var            ufs     rw              2       2
##正常重启后观察:
$ sudo mount
/dev/label/rootfs on / (ufs, local)
/dev/label/tmp on /tmp (ufs, local, soft-updates)
/dev/label/usr on /usr (ufs, local, soft-updates)
/dev/label/var on /var (ufs, local, soft-updates)

系统的 dd 备份

为确保备用系统分区随时可用,需要进行精密的复制:

#格式
sudo dd if= “系统分区全路径” of=“备份分区全路径”
#本例
sudo dd if=rootfs of=rootfs1
sudo dd if=rootfs of=rootfs2

要将所有系统分区都进行复制

ZFS

建立 3+2 RAID-Z2+1 host spare

$sudo zfs create svnpool raidz2 disk[0-4] spare disk5
$ zpool status
  pool: svnpool
state: ONLINE
scrub: resilver completed after 0h0m with 0 errors on Thu Nov 12 17:35:09 2009
config:

    NAME             STATE     READ WRITE CKSUM
    svnpool          ONLINE       0     0     0
      raidz2         ONLINE       0     0     0
        label/disk0  ONLINE       0     0     0  27.5K resilvered
        label/disk1  ONLINE       0     0     0  29K resilvered
        label/disk5  ONLINE       0     0     0  44K resilvered
        label/disk3  ONLINE       0     0     0  28.5K resilvered
        label/disk4  ONLINE       0     0     0  28K resilvered
    spares
      label/disk2    AVAIL 

$ zpool upgrade -v
This system is currently running ZFS pool version 13.

演习

通过实地热插拔硬盘来模拟实际常见灾难来明确在 ZFS 保卫中的系统和数据恢复

系统盘崩溃

模拟

1,先关机,拔除系统硬盘
2,开机后,无法引导

模拟成功…

处置

1,重启,进入 BIOS
2,调整硬盘启动顺序,指定 disk4/5 任意一块(有系统分区在的)
3,用光盘重启,使用 sysinstall—label功能手动挂载分区表 并写入启动硬盘 M键挂载分区,W写入更改
    第1分区 → /
    第2分区 → /tmp
    第3分区 → /var
    第4分区 → /usr
4,重启,将正常引导,而且使用 zpool status 测试,明确存储池也正常

处置成功,总用时 < 25分钟

数据盘崩溃

模拟

1,拔除任何一颗数据硬盘 (disk1~5)
2,系统丢出错误,重启
3,zfs 将观察到 DEGRADED 状态

模拟成功…

处置

1,先撤出故障盘

$ sudo zpool detach svnpool /dev/label/disk2
zpool status
  pool: svnpool
state: ONLINE
scrub: resilver completed after 0h0m with 0 errors on Thu Nov 12 17:35:09 2009
config:

        NAME             STATE     READ WRITE CKSUM
        svnpool          ONLINE       0     0     0
          raidz2         ONLINE       0     0     0
            label/disk0  ONLINE       0     0     0  27.5K resilvered
            label/disk1  ONLINE       0     0     0  29K resilvered
            label/disk5  ONLINE       0     0     0  44K resilvered
            label/disk3  ONLINE       0     0     0  28.5K resilvered
            label/disk4  ONLINE       0     0     0  28K resilvered
        spares
          label/disk5      INUSE     currently in use

2,FreeBSD 中的ZFS 当前无法自动激活热备件启用,手动替换之
格式: zpool replace svnpool ‘故障盘’ ‘热备件’

$ sudo zpool replace svnpool /dev/label/disk2 /dev/label/disk5
$ zpool status
  pool: svnpool
state: ONLINE
scrub: resilver completed after 0h0m with 0 errors on Thu Nov 12 17:35:09 2009
config:

        NAME             STATE     READ WRITE CKSUM
        svnpool          ONLINE       0     0     0
          raidz2         ONLINE       0     0     0
            label/disk0  ONLINE       0     0     0  27.5K resilvered
            label/disk1  ONLINE       0     0     0  29K resilvered
            label/disk5  ONLINE       0     0     0  44K resilvered
            label/disk3  ONLINE       0     0     0  28.5K resilvered
            label/disk4  ONLINE       0     0     0  28K resilvered

3,待修复故障硬盘或在同一物理位置替换(同大小)物理硬盘之后,手工追加热备件

$ sudo zpool add svnpool spare /dev/label/disk2
$ zpool status
  pool: svnpool
state: ONLINE
scrub: resilver completed after 0h0m with 0 errors on Thu Nov 12 17:35:09 2009
config:

        NAME             STATE     READ WRITE CKSUM
        svnpool          ONLINE       0     0     0
          raidz2         ONLINE       0     0     0
            label/disk0  ONLINE       0     0     0  27.5K resilvered
            label/disk1  ONLINE       0     0     0  29K resilvered
            label/disk5  ONLINE       0     0     0  44K resilvered
            label/disk3  ONLINE       0     0     0  28.5K resilvered
            label/disk4  ONLINE       0     0     0  28K resilvered
        spares
          label/disk2    AVAIL

4,安全起见 zpool clear ,并zpool status -x检查

处置完毕, 用时 10~15分钟

TODO

1,如何对 zpool 的变化进行自动报警?
2,如何自动使用 hot spare 替代离线的硬盘?
3,4G 的系统空间不足时,如何将耗空间的 目录链接到 zpool 中,而又保障依然可以正常用后备系统盘快速恢复?

讨论

这样是否最合理?
如果该主机只用以提供 SVN 服务,还有什么可以优化的?
如果该主机只用以提供 Samba 服务,还有什么可以优化的?
如果该主机只用以提供 ftp 服务,还有什么可以优化的?
如果该主机只用以提供 PostgreSQL 服务,还有什么可以优化的?
如果该主机用以提供 综合 服务,还有什么需要注意的?

原文链接:http://wiki.freebsdchina.org/doc/z/zfsusageforbsd8.0