FreeBSD-SA-12:03.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:03.bind Security Advisory
The FreeBSD Project

Topic: Incorrect handling of zero-length RDATA fields in named(8)

Category: contrib
Module: bind
Announced: 2012-06-12
Credits: Dan Luther, Jeffrey A. Spain
Affects: All supported versions of FreeBSD
Corrected: 2012-06-12 12:10:10 UTC (RELENG_7, 7.4-STABLE)
2012-06-12 12:10:10 UTC (RELENG_7_4, 7.4-RELEASE-p9)
2012-06-04 22:21:55 UTC (RELENG_8, 8.3-STABLE)
2012-06-12 12:10:10 UTC (RELENG_8_3, 8.3-RELEASE-p3)
2012-06-12 12:10:10 UTC (RELENG_8_2, 8.2-RELEASE-p9)
2012-06-12 12:10:10 UTC (RELENG_8_1, 8.1-RELEASE-p11)
2012-06-04 22:14:33 UTC (RELENG_9, 9.0-STABLE)
2012-06-12 12:10:10 UTC (RELENG_9_0, 9.0-RELEASE-p3)
CVE Name: CVE-2012-1667

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

II. Problem Description

The named(8) server does not properly handle DNS resource records where
the RDATA field is zero length, which may cause various issues for the
servers handling them.

III. Impact

Resolving servers may crash or disclose some portion of memory to the
client. Authoritative servers may crash on restart after transferring a
zone containing records with zero-length RDATA fields. These would
result in a denial of service, or leak of sensitive information.

IV. Workaround

No workaround is available, but systems not running the BIND name
server are not affected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4,
8.3, 8.2, 8.1 and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, and 8.1-RELEASE]
# fetch http://security.FreeBSD.org/patches/SA-12:03/bind.patch # fetch http://security.FreeBSD.org/patches/SA-12:03/bind.patch.asc
[FreeBSD 9.0-RELEASE]
# fetch http://security.FreeBSD.org/patches/SA-12:03/bind-90.patch # fetch http://security.FreeBSD.org/patches/SA-12:03/bind-90.patch.asc
b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind/
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE,
or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

4) Install and run BIND from the Ports Collection after the correction
date. The following versions and newer versions of BIND installed from
the Ports Collection are not affected by this vulnerability:

bind96-9.6.3.1.ESV.R7.1
bind97-9.7.6.1
bind98-9.8.3.1
bind99-9.9.1.1

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
– ————————————————————————-
RELENG_7
src/contrib/bind9/lib/dns/rdata.c 1.1.1.5.2.4
src/contrib/bind9/lib/dns/rdataslab.c 1.1.1.2.2.5
RELENG_7_4
src/UPDATING 1.507.2.36.2.11
src/sys/conf/newvers.sh 1.72.2.18.2.14
src/contrib/bind9/lib/dns/rdata.c 1.1.1.5.2.1.2.1
src/contrib/bind9/lib/dns/rdataslab.c 1.1.1.2.2.3.2.1
RELENG_8
src/contrib/bind9/lib/dns/rdata.c 1.2.2.4
src/contrib/bind9/lib/dns/rdataslab.c 1.2.2.5
RELENG_8_3
src/UPDATING 1.632.2.26.2.5
src/sys/conf/newvers.sh 1.83.2.15.2.7
src/contrib/bind9/lib/dns/rdata.c 1.2.2.2.2.1
src/contrib/bind9/lib/dns/rdataslab.c 1.2.2.3.2.1
RELENG_8_2
src/UPDATING 1.632.2.19.2.11
src/sys/conf/newvers.sh 1.83.2.12.2.14
src/contrib/bind9/lib/dns/rdata.c 1.2.8.1
src/contrib/bind9/lib/dns/rdataslab.c 1.2.2.2.2.1
RELENG_8_1
src/UPDATING 1.632.2.14.2.14
src/sys/conf/newvers.sh 1.83.2.10.2.15
src/contrib/bind9/lib/dns/rdata.c 1.2.6.1
src/contrib/bind9/lib/dns/rdataslab.c 1.2.2.1.2.1
RELENG_9
src/contrib/bind9/lib/dns/rdata.c 1.5.2.2
src/contrib/bind9/lib/dns/rdataslab.c 1.7.2.2
RELENG_9_0
src/UPDATING 1.702.2.4.2.5
src/sys/conf/newvers.sh 1.95.2.4.2.7
src/contrib/bind9/lib/dns/rdata.c 1.5.4.1
src/contrib/bind9/lib/dns/rdataslab.c 1.7.4.1
– ————————————————————————-

Subversion:

Branch/path Revision
– ————————————————————————-
stable/7/ r236953
releng/7.4/ r236953
stable/8/ r236590
releng/8.3/ r236953
releng/8.2/ r236953
releng/8.1/ r236953
stable/9/ r236587
releng/9.0/ r236953
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667 http://www.isc.org/software/bind/advisories/cve-2012-1667
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:03.bind.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAk/XQGEACgkQFdaIBMps37LU+gCfcP1MdQy8s5gjNWJfW+BiP6oI
CWkAnRZzIRxAKWgD2spPAuBu04S9ZQkA
=aI2g
—–END PGP SIGNATURE—–

FreeBSD-SA-12:02.crypt

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:02.crypt Security Advisory
The FreeBSD Project

Topic: Incorrect crypt() hashing

Category: core
Module: libcrypt
Announced: 2012-05-30
Credits: Rubin Xu, Joseph Bonneau, Donting Yu
Affects: All supported versions of FreeBSD.
Corrected: 2012-05-30 12:01:28 UTC (RELENG_7, 7.4-STABLE)
2012-05-30 12:01:28 UTC (RELENG_7_4, 7.4-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8, 8.3-STABLE)
2012-05-30 12:01:28 UTC (RELENG_8_3, 8.3-RELEASE-p2)
2012-05-30 12:01:28 UTC (RELENG_8_2, 8.2-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8_1, 8.1-RELEASE-p10)
2012-05-30 12:01:28 UTC (RELENG_9, 9.0-STABLE)
2012-05-30 12:01:28 UTC (RELENG_9_0, 9.0-RELEASE-p2)
CVE Name: CVE-2012-2143

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The crypt(3) function performs password hashing with additional code added
to deter key search attempts.

II. Problem Description

There is a programming error in the DES implementation used in crypt()
when handling input which contains characters that can not be represented
with 7-bit ASCII.

III. Impact

When the input contains characters with only the most significant bit set
(0x80), that character and all characters after it will be ignored.

IV. Workaround

No workaround is available, but systems not using crypt(), or which only
use it to handle 7-bit ASCII are not vulnerable. Note that, because
DES does not have the computational complexity to defeat brute force
search on modern computers, it is not recommended for new applications.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4,
8.3, 8.2, 8.1 and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:02/crypt.patch # fetch http://security.FreeBSD.org/patches/SA-12:02/crypt.patch.asc
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libcrypt
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE,
or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
– ————————————————————————-
RELENG_7
src/secure/lib/libcrypt/crypt-des.c 1.16.24.1
RELENG_7_4
src/UPDATING 1.507.2.36.2.10
src/sys/conf/newvers.sh 1.72.2.18.2.13
src/secure/lib/libcrypt/crypt-des.c 1.16.40.2
RELENG_8
src/secure/lib/libcrypt/crypt-des.c 1.16.36.2
RELENG_8_3
src/UPDATING 1.632.2.26.2.4
src/sys/conf/newvers.sh 1.83.2.15.2.6
src/secure/lib/libcrypt/crypt-des.c 1.16.36.1.8.2
RELENG_8_2
src/UPDATING 1.632.2.19.2.10
src/sys/conf/newvers.sh 1.83.2.12.2.13
src/secure/lib/libcrypt/crypt-des.c 1.16.36.1.6.2
RELENG_8_1
src/UPDATING 1.632.2.14.2.13
src/sys/conf/newvers.sh 1.83.2.10.2.14
src/secure/lib/libcrypt/crypt-des.c 1.16.36.1.4.2
RELENG_9
src/secure/lib/libcrypt/crypt-des.c 1.16.42.2
RELENG_9_0
src/UPDATING 1.702.2.4.2.4
src/sys/conf/newvers.sh 1.95.2.4.2.6
src/secure/lib/libcrypt/crypt-des.c 1.16.42.1.2.2
– ————————————————————————-

Subversion:

Branch/path Revision
– ————————————————————————-
stable/7/ r236304
releng/7.4/ r236304
stable/8/ r236304
releng/8.3/ r236304
releng/8.2/ r236304
releng/8.1/ r236304
stable/9/ r236304
releng/9.0/ r236304
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:02.crypt.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAk/GEsoACgkQFdaIBMps37JSYQCfZGZceQY4D53qgR9JbI79ZNht
/GIAnjnhxlCnF27cWOhqxkkTWM6f45IM
=7CVu
—–END PGP SIGNATURE—–

FreeBSD-SA-12:01.openssl(修订)

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:01.openssl Security Advisory
The FreeBSD Project

Topic: OpenSSL multiple vulnerabilities

Category: contrib
Module: openssl
Announced: 2012-05-03
Credits: Adam Langley, George Kadianakis, Ben Laurie,
Ivan Nestlerode, Tavis Ormandy
Affects: All supported versions of FreeBSD.
Corrected: 2012-05-30 12:01:28 UTC (RELENG_7, 7.4-STABLE)
2012-05-30 12:01:28 UTC (RELENG_7_4, 7.4-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8, 8.3-STABLE)
2012-05-30 12:01:28 UTC (RELENG_8_3, 8.3-RELEASE-p2)
2012-05-30 12:01:28 UTC (RELENG_8_2, 8.2-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8_1, 8.1-RELEASE-p10)
2012-05-30 12:01:28 UTC (RELENG_9, 9.0-STABLE)
2012-05-30 12:01:28 UTC (RELENG_9_0, 9.0-RELEASE-p2)
CVE Name: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109,
CVE-2012-0884, CVE-2012-2110

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

0. Revision History

v1.0 2012-05-02 Initial release.
v1.1 2012-05-30 Updated patch to add SGC and BUF_MEM_grow_clean(3) bug
fixes.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II. Problem Description

OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0
records when operating as a client or a server that accept SSL 3.0
handshakes. As a result, in each record, up to 15 bytes of uninitialized
memory may be sent, encrypted, to the SSL peer. This could include
sensitive contents of previously freed memory. [CVE-2011-4576]

OpenSSL support for handshake restarts for server gated cryptography (SGC)
can be used in a denial-of-service attack. [CVE-2011-4619]

If an application uses OpenSSL’s certificate policy checking when
verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK
flag, a policy check failure can lead to a double-free. [CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can be exploited using
Bleichenbacher’s attack on PKCS #1 v1.5 RSA padding also known as the
million message attack (MMA). [CVE-2012-0884]

The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp
functions, in OpenSSL contains multiple integer errors that can cause
memory corruption when parsing encoded ASN.1 data. This error can occur
on systems that parse untrusted ASN.1 data, such as X.509 certificates
or RSA public keys. [CVE-2012-2110]

III. Impact

Sensitive contents of the previously freed memory can be exposed
when communicating with a SSL 3.0 peer. However, FreeBSD OpenSSL
version does not support SSL_MODE_RELEASE_BUFFERS SSL mode and
therefore have a single write buffer per connection. That write buffer
is partially filled with non-sensitive, handshake data at the beginning
of the connection and, thereafter, only records which are longer than
any previously sent record leak any non-encrypted data. This, combined
with the small number of bytes leaked per record, serves to limit to
severity of this issue. [CVE-2011-4576]

Denial of service can be caused in the OpenSSL server application
supporting server gated cryptography by performing multiple handshake
restarts. [CVE-2011-4619]

The double-free, when an application performs X509 certificate policy
checking, can lead to denial of service in that application.
[CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can lead to a successful
Bleichenbacher attack. Only users of PKCS #7 decryption operations are
affected. A successful attack needs on average 2^20 messages. In
practice only automated systems will be affected as humans will not be
willing to process this many messages. SSL/TLS applications are not
affected. [CVE-2012-0884]

The vulnerability in the asn1_d2i_read_bio() OpenSSL function can lead
to a potentially exploitable attack via buffer overflow. The SSL/TLS
code in OpenSSL is not affected by this issue, nor are applications
using the memory based ASN.1 functions. There are no applications in
FreeBSD base system affected by this issue, though some 3rd party
consumers of these functions might be vulnerable when processing
untrusted ASN.1 data. [CVE-2012-2110]

The patch provided with the initial version of this advisory introduced
bug to the Server Gated Cryptography (SGC) handshake code, that could
cause SGC handshake to fail for a legitimate client. The updated patch
also fixes the return error code in the BUF_MEM_grow_clean(3) function in the
buffer size check code introduced by the CVE-2012-2110 fix.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 8.3,
8.2, 8.1, and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:01/openssl2.patch # fetch http://security.FreeBSD.org/patches/SA-12:01/openssl2.patch.asc
NOTE: The patch distributed at the time of the original advisory fixed
the security vulnerability, but introduced a bug to the SGC handshake
code that can cause the SGC handshake to fail for a legitimate client.
Systems to which the original patch was applied should be patched with
the following corrective patch, which contains only the additional
changes required to fix the newly-introduced SGC handshake bug. The
updated patch also corrects an error code for an error check introduced
in the original patch.

# fetch http://security.FreeBSD.org/patches/SA-12:01/openssl-sgc-fix.patch # fetch http://security.FreeBSD.org/patches/SA-12:01/openssl-sgc-fix.patch.asc
b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/handbook/makeworld.html> and reboot the
system.

NOTE: Any third-party applications, including those installed from the
FreeBSD ports collection, which are statically linked to libcrypto(3)
should be recompiled in order to use the corrected code.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE or
9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
– ————————————————————————-
RELENG_7
src/crypto/openssl/crypto/buffer/buffer.c 1.1.1.4.2.3
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.2.2
src/crypto/openssl/crypto/mem.c 1.1.1.8.2.2
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.1.1.1.2.2
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.1.1.2.2.2
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.2.1
src/crypto/openssl/ssl/ssl.h 1.1.1.16.2.3
src/crypto/openssl/ssl/ssl_err.c 1.1.1.11.2.3
src/crypto/openssl/ssl/s3_enc.c 1.1.1.13.2.2
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.8
src/crypto/openssl/ssl/ssl3.h 1.1.1.6.2.2
RELENG_7_4
src/UPDATING 1.507.2.36.2.10
src/sys/conf/newvers.sh 1.72.2.18.2.13
src/crypto/openssl/crypto/buffer/buffer.c 1.1.1.4.2.1.2.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.2.1.2.1
src/crypto/openssl/crypto/mem.c 1.1.1.8.2.1.2.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.1.1.1.2.1.2.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.1.1.2.2.1.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.20.1
src/crypto/openssl/ssl/ssl.h 1.1.1.16.2.2.2.1
src/crypto/openssl/ssl/ssl_err.c 1.1.1.11.2.2.2.1
src/crypto/openssl/ssl/s3_enc.c 1.1.1.13.2.1.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.5.2.2
src/crypto/openssl/ssl/ssl3.h 1.1.1.6.2.1.2.1
RELENG_8
src/crypto/openssl/crypto/buffer/buffer.c 1.2.2.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.2
src/crypto/openssl/crypto/mem.c 1.2.2.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.2.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.2
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.10.1
src/crypto/openssl/ssl/ssl.h 1.2.2.2
src/crypto/openssl/ssl/ssl_err.c 1.2.2.2
src/crypto/openssl/ssl/s3_enc.c 1.2.2.2
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.6
src/crypto/openssl/ssl/ssl3.h 1.2.2.2
RELENG_8_3
src/UPDATING 1.632.2.26.2.4
src/sys/conf/newvers.sh 1.83.2.15.2.6
src/crypto/openssl/crypto/buffer/buffer.c 1.2.14.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.1.4.1
src/crypto/openssl/crypto/mem.c 1.2.14.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.14.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.6.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.26.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.6.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.6.1
src/crypto/openssl/ssl/s3_enc.c 1.2.2.1.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.4.2.2
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.6.1
RELENG_8_2
src/UPDATING 1.632.2.19.2.10
src/sys/conf/newvers.sh 1.83.2.12.2.13
src/crypto/openssl/crypto/buffer/buffer.c 1.2.8.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.1.2.1
src/crypto/openssl/crypto/mem.c 1.2.8.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.8.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.4.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.18.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.4.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.4.1
src/crypto/openssl/ssl/s3_enc.c 1.2.2.1.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.3.2.2
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.4.1
RELENG_8_1
src/UPDATING 1.632.2.14.2.13
src/sys/conf/newvers.sh 1.83.2.10.2.14
src/crypto/openssl/crypto/buffer/buffer.c 1.2.6.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.16.1
src/crypto/openssl/crypto/mem.c 1.2.6.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.6.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.16.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.2.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.2.1
src/crypto/openssl/ssl/s3_enc.c 1.2.6.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.2.2.2
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.2.1
RELENG_9
src/crypto/openssl/crypto/buffer/buffer.c 1.2.10.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.2.2.1
src/crypto/openssl/crypto/mem.c 1.2.10.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.10.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.3.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.22.1
src/crypto/openssl/ssl/ssl.h 1.3.2.1
src/crypto/openssl/ssl/ssl_err.c 1.3.2.1
src/crypto/openssl/ssl/s3_enc.c 1.3.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.7.2.2
src/crypto/openssl/ssl/ssl3.h 1.3.2.1
RELENG_9_0
src/UPDATING 1.702.2.4.2.4
src/sys/conf/newvers.sh 1.95.2.4.2.6
src/crypto/openssl/crypto/buffer/buffer.c 1.2.12.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.2.4.1
src/crypto/openssl/crypto/mem.c 1.2.12.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.12.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.3.4.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.24.1
src/crypto/openssl/ssl/ssl.h 1.3.4.1
src/crypto/openssl/ssl/ssl_err.c 1.3.4.1
src/crypto/openssl/ssl/s3_enc.c 1.3.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.7.4.2
src/crypto/openssl/ssl/ssl3.h 1.3.4.1
– ————————————————————————-

Subversion:

Branch/path Revision
– ————————————————————————-
stable/7/ r236304
releng/7.4/ r236304
stable/8/ r236304
releng/8.3/ r236304
releng/8.2/ r236304
releng/8.1/ r236304
stable/9/ r236304
releng/9.0/ r236304
– ————————————————————————-

VII. References

http://www.openssl.org/news/secadv_20120419.txt http://www.openssl.org/news/secadv_20120312.txt http://www.openssl.org/news/secadv_20120104.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110 http://lists.openwall.net/full-disclosure/2012/04/19/4
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:01.openssl.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAk/GEsMACgkQFdaIBMps37IOkwCgj6lSWidx+sk/C/seNNBmQfN8
36sAn2OQg0TEYq9xPf8yd0hrPICuDyGK
=T8ip
—–END PGP SIGNATURE—–

FreeBSD-SA-12:01.openssl

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:01.openssl Security Advisory
The FreeBSD Project

Topic: OpenSSL multiple vulnerabilities

Category: contrib
Module: openssl
Announced: 2012-05-03
Credits: Adam Langley, George Kadianakis, Ben Laurie,
Ivan Nestlerode, Tavis Ormandy
Affects: All supported versions of FreeBSD.
Corrected: 2012-05-03 15:25:11 UTC (RELENG_7, 7.4-STABLE)
2012-05-03 15:25:11 UTC (RELENG_7_4, 7.4-RELEASE-p7)
2012-05-03 15:25:11 UTC (RELENG_8, 8.3-STABLE)
2012-05-03 15:25:11 UTC (RELENG_8_3, 8.3-RELEASE-p1)
2012-05-03 15:25:11 UTC (RELENG_8_2, 8.2-RELEASE-p7)
2012-05-03 15:25:11 UTC (RELENG_8_1, 8.1-RELEASE-p9)
2012-05-03 15:25:11 UTC (RELENG_9, 9.0-STABLE)
2012-05-03 15:25:11 UTC (RELENG_9_0, 9.0-RELEASE-p1)
CVE Name: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109,
CVE-2012-0884, CVE-2012-2110

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II. Problem Description

OpenSSL failes to clear the bytes used as block cipher padding in SSL 3.0
records when operating as a client or a server that accept SSL 3.0
handshakes. As a result, in each record, up to 15 bytes of uninitialized
memory may be sent, encrypted, to the SSL peer. This could include
sensitive contents of previously freed memory. [CVE-2011-4576]

OpenSSL support for handshake restarts for server gated cryptograpy (SGC)
can be used in a denial-of-service attack. [CVE-2011-4619]

If an application uses OpenSSL’s certificate policy checking when
verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK
flag, a policy check failure can lead to a double-free. [CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can be exploited using
Bleichenbacher’s attack on PKCS #1 v1.5 RSA padding also known as the
million message attack (MMA). [CVE-2012-0884]

The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp
functions, in OpenSSL contains multiple integer errors that can cause
memory corruption when parsing encoded ASN.1 data. This error can occur
on systems that parse untrusted ASN.1 data, such as X.509 certificates
or RSA public keys. [CVE-2012-2110]

III. Impact

Sensitive contents of the previously freed memory can be exposed
when communicating with a SSL 3.0 peer. However, FreeBSD OpenSSL
version does not support SSL_MODE_RELEASE_BUFFERS SSL mode and
therefore have a single write buffer per connection. That write buffer
is partially filled with non-sensitive, handshake data at the beginning
of the connection and, thereafter, only records which are longer than
any previously sent record leak any non-encrypted data. This, combined
with the small number of bytes leaked per record, serves to limit to
severity of this issue. [CVE-2011-4576]

Denial of service can be caused in the OpenSSL server application
supporting server gated cryptograpy by performing multiple handshake
restarts. [CVE-2011-4619]

The double-free, when an application performs X509 certificate policy
checking, can lead to denial of service in that application.
[CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can lead to a successful
Bleichenbacher attack. Only users of PKCS #7 decryption operations are
affected. A successful attack needs on average 2^20 messages. In
practice only automated systems will be affected as humans will not be
willing to process this many messages. SSL/TLS applications are not
affected. [CVE-2012-0884]

The vulnerability in the asn1_d2i_read_bio() OpenSSL function can lead
to a potentially exploitable attack via buffer overflow. The SSL/TLS
code in OpenSSL is not affected by this issue, nor are applications
using the memory based ASN.1 functions. There are no applications in
FreeBSD base system affected by this issue, though some 3rd party
consumers of these functions might be vulnerable when processing
untrusted ASN.1 data. [CVE-2012-2110]

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 8.3,
8.2, 8.1, and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:01/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-12:01/openssl.patch.asc
b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/handbook/makeworld.html> and reboot the
system.

NOTE: Any third-party applications, including those installed from the
FreeBSD ports collection, which are statically linked to libcrypto(3)
should be recompiled in order to use the corrected code.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE or
9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
– – ————————————————————————-
RELENG_7
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.2.2
src/crypto/openssl/crypto/mem.c 1.1.1.8.2.2
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.1.1.1.2.2
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.1.1.2.2.2
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.2.1
src/crypto/openssl/crypto/buffer/buffer.c 1.1.1.4.2.2
src/crypto/openssl/ssl/ssl_err.c 1.1.1.11.2.3
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.7
src/crypto/openssl/ssl/ssl.h 1.1.1.16.2.3
src/crypto/openssl/ssl/s3_enc.c 1.1.1.13.2.2
src/crypto/openssl/ssl/ssl3.h 1.1.1.6.2.2
RELENG_7_4
src/UPDATING 1.507.2.36.2.9
src/sys/conf/newvers.sh 1.72.2.18.2.12
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.2.1.2.1
src/crypto/openssl/crypto/mem.c 1.1.1.8.2.1.2.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.1.1.1.2.1.2.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.1.1.2.2.1.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.20.1
src/crypto/openssl/crypto/buffer/buffer.c 1.1.1.4.2.1.2.1
src/crypto/openssl/ssl/ssl_err.c 1.1.1.11.2.2.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.5.2.1
src/crypto/openssl/ssl/ssl.h 1.1.1.16.2.2.2.1
src/crypto/openssl/ssl/s3_enc.c 1.1.1.13.2.1.2.1
src/crypto/openssl/ssl/ssl3.h 1.1.1.6.2.1.2.1
RELENG_8
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.2
src/crypto/openssl/crypto/mem.c 1.2.2.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.2.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.2
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.10.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.2.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.2
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.5
src/crypto/openssl/ssl/ssl.h 1.2.2.2
src/crypto/openssl/ssl/s3_enc.c 1.2.2.2
src/crypto/openssl/ssl/ssl3.h 1.2.2.2
RELENG_8_3
src/UPDATING 1.632.2.26.2.3
src/sys/conf/newvers.sh 1.83.2.15.2.5
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.1.4.1
src/crypto/openssl/crypto/mem.c 1.2.14.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.14.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.6.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.26.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.14.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.6.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.4.2.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.6.1
src/crypto/openssl/ssl/s3_enc.c 1.2.2.1.4.1
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.6.1
RELENG_8_2
src/UPDATING 1.632.2.19.2.9
src/sys/conf/newvers.sh 1.83.2.12.2.12
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.1.2.1
src/crypto/openssl/crypto/mem.c 1.2.8.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.8.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.4.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.18.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.8.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.3.2.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.4.1
src/crypto/openssl/ssl/s3_enc.c 1.2.2.1.2.1
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.4.1
RELENG_8_1
src/UPDATING 1.632.2.14.2.12
src/sys/conf/newvers.sh 1.83.2.10.2.13
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.16.1
src/crypto/openssl/crypto/mem.c 1.2.6.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.6.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.16.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.6.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.2.2.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.2.1
src/crypto/openssl/ssl/s3_enc.c 1.2.6.1
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.2.1
RELENG_9
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.2.2.1
src/crypto/openssl/crypto/mem.c 1.2.10.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.10.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.3.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.22.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.10.1
src/crypto/openssl/ssl/ssl_err.c 1.3.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.7.2.1
src/crypto/openssl/ssl/ssl.h 1.3.2.1
src/crypto/openssl/ssl/s3_enc.c 1.3.2.1
src/crypto/openssl/ssl/ssl3.h 1.3.2.1
RELENG_9_0
src/UPDATING 1.702.2.4.2.3
src/sys/conf/newvers.sh 1.95.2.4.2.5
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.2.4.1
src/crypto/openssl/crypto/mem.c 1.2.12.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.12.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.3.4.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.24.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.12.1
src/crypto/openssl/ssl/ssl_err.c 1.3.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.7.4.1
src/crypto/openssl/ssl/ssl.h 1.3.4.1
src/crypto/openssl/ssl/s3_enc.c 1.3.4.1
src/crypto/openssl/ssl/ssl3.h 1.3.4.1
– – ————————————————————————-

Subversion:

Branch/path Revision
– – ————————————————————————-
stable/7/ r234954
releng/7.4/ r234954
stable/8/ r234954
releng/8.3/ r234954
releng/8.2/ r234954
releng/8.1/ r234954
stable/9/ r234954
releng/9.0/ r234954
– – ————————————————————————-

VII. References

http://www.openssl.org/news/secadv_20120419.txt http://www.openssl.org/news/secadv_20120312.txt http://www.openssl.org/news/secadv_20120104.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110 http://lists.openwall.net/full-disclosure/2012/04/19/4
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:01.openssl.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAk+ipzUACgkQFdaIBMps37I7pACeI7zZ21vj+6AVz5+15OP4foXm
N1IAn2rMThkptUz62e0QDCv3tJKW6N9i
=ko2h
—–END PGP SIGNATURE—–

FreeBSD 8.3-RELEASE发布了

The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 8.3-RELEASE. This is the fourth release from the 8-STABLE branch which improves on the functionality of FreeBSD 8.2 and introduces some new features. Some of the highlights:

usb(4) now supports the USB packet filter

TCP/IP stack now supports the mod_cc(9) pluggable congestion control framework

graid(8) GEOM class added to support various BIOS-based software RAID controllers (replacement for ataraid(4))

ZFS subsystem updated to SPA version 28

Gnome version 2.32.1, KDE version 4.7.4

For a complete list of new features and known problems, please see the online release notes and errata list available at:

http://www.FreeBSD.org/releases/8.3R/relnotes-detailed.html

http://www.FreeBSD.org/releases/8.3R/errata.html

For more information about FreeBSD release engineering activities please see:

http://www.FreeBSD.org/releng/

Availability

FreeBSD 8.3-RELEASE is now available for the amd64, i386, pc98, and sparc64 architectures.

FreeBSD 8.3 can be installed from bootable ISO images or over the network. Some architectures (currently amd64 and i386) also support installing from a USB memory stick. The required files can be downloaded via FTP or BitTorrent as described in the sections below. While some of the smaller FTP mirrors may not carry all architectures, they will all generally contain the more common ones such as amd64 and i386.

MD5 and SHA256 hashes for the release ISO images are included at the bottom of this message.

The purpose of the images provided as part of the release are as follows:

dvd1
This contains everything necessary to install the base FreeBSD operating system, a collection of pre-built packages, and the documentation. It also supports booting into a "livefs" based rescue mode. This should be all you need if you can burn and use DVD-sized media.

disc1
This contains the base FreeBSD operating system and the English documentation package for CDROM-sized media. There are no other packages.

livefs
This contains support for booting into a "livefs" based rescue mode but does not support doing an install from the CD itself. It is meant to help rescue an existing system but could be used to do a network based install if necessary.

bootonly
This supports booting a machine using the CDROM drive but does not contain the support for installing FreeBSD from the CD itself. You would need to perform a network based install (e.g. from an FTP server) after booting from the CD.

memstick
This can be written to an USB memory stick (flash drive) and used to do an install on machines capable of booting off USB drives. It also supports booting into a "livefs" based rescue mode. The documentation packages are provided but no other packages.

As one example of how to use the memstick image, assuming the USB drive appears as /dev/da0 on your machine something like this should work:

# dd if=FreeBSD-8.3-RELEASE-amd64-memstick.img of=/dev/da0 bs=10240 conv=sync
Be careful to make sure you get the target (of=) correct.

FreeBSD 8.3-RELEASE can also be purchased on CD-ROM or DVD from several vendors. One of the vendors that will be offering FreeBSD 8.3-based products is:

FreeBSD Mall, Inc. http://www.freebsdmall.com/

BitTorrent

8.3-RELEASE ISOs are available via BitTorrent. A collection of torrent files to download the images is available at:

http://torrents.FreeBSD.org:8080/

FTP

At the time of this announcement the following FTP sites have FreeBSD 8.3-RELEASE available.

ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp5.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp10.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp.cn.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp.cz.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp.dk.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp.fr.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp.jp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp.ru.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp1.ru.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp.tw.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp4.tw.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp5.us.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
ftp://ftp10.us.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/
However before trying these sites please check your regional mirror(s) first by going to:

ftp://ftp.<yourdomain>.FreeBSD.org/pub/FreeBSD

Any additional mirror sites will be labeled ftp2, ftp3 and so on.

More information about FreeBSD mirror sites can be found at:

http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html

For instructions on installing FreeBSD or updating an existing machine to 8.3-RELEASE please see:

http://www.FreeBSD.org/releases/8.3R/installation.html

Support

The FreeBSD Security Team currently plans to support FreeBSD 8.3 until April 30, 2014. For more information on the Security Team and their support of the various FreeBSD branches see:

http://www.FreeBSD.org/security/

Acknowledgments

Many companies donated equipment, network access, or man-hours to support the release engineering activities for FreeBSD 8.3 including The FreeBSD Foundation, Yahoo!, NetApp, Internet Systems Consortium, Sentex Communications, New York Internet, Juniper Networks, and iXsystems.

The release engineering team for 8.3-RELEASE includes:

Ken Smith <kensmith@FreeBSD.org>    Release Engineering, amd64, i386, sparc64 Release Building, Mirror Site Coordination
Robert Watson <rwatson@FreeBSD.org>    Release Engineering, Security
Konstantin Belousov <kib@FreeBSD.org>    Release Engineering
Marc Fonvieille <blackend@FreeBSD.org>    Release Engineering, Documentation
Josh Paetzel <jpaetzel@FreeBSD.org>    Release Engineering
Hiroki Sato <hrs@FreeBSD.org>    Release Engineering, Documentation
Bjoern Zeeb <bz@FreeBSD.org>    Release Engineering
Takahashi Yoshihiro <nyan@FreeBSD.org>    PC98 Release Building
Joe Marcus Clarke <marcus@FreeBSD.org>    Package Building
Erwin Lansing <erwin@FreeBSD.org>    Package Building
Mark Linimon <linimon@FreeBSD.org>    Package Building
Pav Lucistnik <pav@FreeBSD.org>    Package Building
Ion-Mihai Tetcu <itetcu@FreeBSD.org>    Package Building
Martin Wilke <miwi@FreeBSD.org>    Package Building, Ports Security
Colin Percival <cperciva@FreeBSD.org>    Security Officer
Trademark

FreeBSD is a registered trademark of The FreeBSD Foundation.

ISO Image Checksums

MD5 (FreeBSD-8.3-RELEASE-amd64-bootonly.iso) = b1e776a82deabaf66a91293b04107277
MD5 (FreeBSD-8.3-RELEASE-amd64-disc1.iso) = cf4edae9692f560e9cab89c8347886f5
MD5 (FreeBSD-8.3-RELEASE-amd64-dvd1.iso) = 70089656058e74962cbedad1a2181daa
MD5 (FreeBSD-8.3-RELEASE-amd64-livefs.iso) = 24e1a8d3c02c230fe415408179f90dbc
MD5 (FreeBSD-8.3-RELEASE-amd64-memstick.img) = 013612ac4e080028b5f4e2c344250850
MD5 (FreeBSD-8.3-RELEASE-i386-bootonly.iso) = 2fa59569f572abe450fce6b5efddeb04
MD5 (FreeBSD-8.3-RELEASE-i386-disc1.iso) = 00fac17d95d27950e30b22e521c45da9
MD5 (FreeBSD-8.3-RELEASE-i386-dvd1.iso) = 2478c6a7477492c347e80aaf61f48cc1
MD5 (FreeBSD-8.3-RELEASE-i386-livefs.iso) = 147db14848518808deddf3c0b03694c3
MD5 (FreeBSD-8.3-RELEASE-i386-memstick.img) = 5cbbe6f41e53eb98471c3392eb1bb768
MD5 (FreeBSD-8.3-RELEASE-pc98-bootonly.iso) = 91843c5c9dbdf1d1be23eae30b0184b8
MD5 (FreeBSD-8.3-RELEASE-pc98-disc1.iso) = e84f3d26d72a37ae332b617e8122bec4
MD5 (FreeBSD-8.3-RELEASE-pc98-livefs.iso) = 4a441695c30c446308d7ee55d1ead1bc
MD5 (FreeBSD-8.3-RELEASE-sparc64-bootonly.iso) = b94f5c9b07fdc1870cd284e168b557d8
MD5 (FreeBSD-8.3-RELEASE-sparc64-disc1.iso) = 8b748240afe7a3f80cdf531f7d8a1317
MD5 (FreeBSD-8.3-RELEASE-sparc64-dvd1.iso) = 3ea38fd60444193c3d74d2b0beba14a4
MD5 (FreeBSD-8.3-RELEASE-sparc64-livefs.iso) = 317325d88a8605ae5a48447f92c5f919
SHA256 (FreeBSD-8.3-RELEASE-amd64-bootonly.iso) = 2af20d98b02a26ebe9a3ddeb4785f317e2024f9494ca3a177edafdc8ef138b7d
SHA256 (FreeBSD-8.3-RELEASE-amd64-disc1.iso) = 26d4870f3a310a95e488ed14dd8e36eb52e857878f2b238b3b91e65c101eee93
SHA256 (FreeBSD-8.3-RELEASE-amd64-dvd1.iso) = acd9127364c759c4eb38fd02634f52bffe75b845a767a20f7dbf022a1626eed7
SHA256 (FreeBSD-8.3-RELEASE-amd64-livefs.iso) = cb3dcd38ce4e3782059ea6d550a947a69c47bf167c6ae24f1cd58c5b4132697b
SHA256 (FreeBSD-8.3-RELEASE-amd64-memstick.img) = eb598fa93b553744bd79e6b648b87b20f9054f7c131856c09ee2f88f29ccca6d
SHA256 (FreeBSD-8.3-RELEASE-i386-bootonly.iso) = e701dee1458888bee1a399937f1ec525022a225b8b097bd820ed4338e0bf300d
SHA256 (FreeBSD-8.3-RELEASE-i386-disc1.iso) = a83919b5104d8ec4e905693a6bd6b90b88b1c30923029146d1dab62b62a038e9
SHA256 (FreeBSD-8.3-RELEASE-i386-dvd1.iso) = 3f3334a1e4f3d3f62ef274861764d466b44e19cc14549e6cdfdbd555808d78e2
SHA256 (FreeBSD-8.3-RELEASE-i386-livefs.iso) = d45352262d7f9d871d25d01fab3c9a946ef4488f5fbbd104e153f04ca58d5b24
SHA256 (FreeBSD-8.3-RELEASE-i386-memstick.img) = 56f4fc14ebe66dad5691ca63fa846e5d003efb630e5cb0181921ffb8af5a4edd
SHA256 (FreeBSD-8.3-RELEASE-pc98-bootonly.iso) = 664b06c1a68352be8833b90ee455cbc31dfea531b7dd5f648d48659da60e386d
SHA256 (FreeBSD-8.3-RELEASE-pc98-disc1.iso) = 1a54d5cbd6e72d740f7bf6372c58fb8caa5bb49d6c56358e18fe7433103bbb4f
SHA256 (FreeBSD-8.3-RELEASE-pc98-livefs.iso) = 5b8887aee9c80914ece956452fd5e48eb759232d56cb4fff557e7cc60daab58b
SHA256 (FreeBSD-8.3-RELEASE-sparc64-bootonly.iso) = e7ba76bbecff1b92d00caed5e644443b596f6a0fee4d717046aae73c4c5248c2
SHA256 (FreeBSD-8.3-RELEASE-sparc64-disc1.iso) = f5d4087a0a070a05ad2cd9032fdc3a49fff2f716b7485debc25ae6757e29ca90
SHA256 (FreeBSD-8.3-RELEASE-sparc64-dvd1.iso) = a697afe3e47250fa707b54021b5114aa0e286f088a5c89dfb6e1b2f51dd7bb67
SHA256 (FreeBSD-8.3-RELEASE-sparc64-livefs.iso) = a5af66e2ad1042676a157c94f3d63e118761435abd26d8b5dd66e99bdc830526

原文链接:http://www.freebsd.org/releases/8.3R/announce.html

FreeBSD 用 mplayer 显示摄像头捕捉的影像

FreeBSD 用 mplayer 显示摄像头捕捉的影像

现在很多的笔记本、上网本上都内置了摄像头,或者可以外接USB摄像头。FreeBSD 提供了 /usr/ports/multimedia/webcamd 来启动各种型号的摄像头,它的安装不再赘述。

浏览 webcamd 捕捉到的动态影像可以有多种方法,最简单的是用 pwcview。此外,还有其他备选的方法,例如,http://www.rockafunk.org/ 给出了 camorama、camserv、effectv、guvcview、luvcview、mencoder、mjpg_streamer、motion、mplayer、uvc_streamer、uvcview、wxcam、xawtv、zoneminder 等效果图。

我的多媒体(音频和视频)工具是 mplayer,看电影、听音乐、打开流媒体都是它。私下认为 mplayer 的综合素质是最好的,所以我不会重复建设再装其他的工具来浏览摄像头影像。本文介绍如何用 mplayer 显示 webcamd 捕捉到的动态影像。

准备工作

假设机器上已经安装了 webcamd 和 mplayer。需要提醒的是,mplayer 除了缺省的 config 选项外,必须选上 V4L 一项。
通过 dmesg 搞清楚摄像头设备名,譬如,我的 Acer AOD 257 上网本的是
ugen3.3: <Chicony Electronics Co., Ltd.> at usbus3

启动 webcamd

以 root 运行

webcamd -d ugen3.3 -v 0

系统会提示

Attached ugen3.3[0] to cuse unit 0
Creating /dev/video0

即,生成了设备 /dev/video0。以 root 运行

root@~# chmod 666 /dev/video0

用 mplayer 显示 webcamd 捕捉到的动态影像

运行下面的命令即可。

mplayer -tv driver=v4l2:width=352:height=288:device=/dev/video0 tv://

效果图

举着上网本对着我的桌面来一张截屏。

FreeBSD 用 mplayer 显示摄像头捕捉的影像

原文链接:http://wiki.freebsdchina.org/software/w/webcamd

FreeBSD 下 Skype 的设置

FreeBSD 下 Skype 的设置

如果有摄像头,要在config里选中VIDEO,系统会自动装上webcamd。

安装结束后,以root编辑

# vi vi /usr/local/bin/skype

添加或者将原有的修改为

#!/compat/linux/bin/sh
LD_PRELOAD=/usr/local/lib/libv4l/v4l2convert.so /usr/local/share/skype/skype –resources=/usr/local/share/skype $@

摄像头 Webcamd 的設置

为了使得webcamd在卡机时启动,在/boot/loader.conf中添加

cuse4bsd_load="YES"

同时,在/etc/rc.conf里添加

webcamd_enable="YES"

这样,开机后即可发现设备/dev/video0启动。然而,skype并不能调用设备/dev/video0,必须以root修改该设备的属性后skype>才能获取该设备。

# chmod 666 /dev/video0

也可以自动修改设备属性,但我认为,为了安全起见还是手动地修改为好。

聲音設備的設置

麥克、揚聲器、振鈴都選用 oss。

用 mixer 命令在虛擬終端查看麥克風是否打開。譬如,

IOU@~$ mixer
Mixer vol      is currently set to  70:70
Mixer pcm      is currently set to  75:75
Mixer mic      is currently set to  80:80
Mixer mix      is currently set to  75:75
Mixer rec      is currently set to 100:100
Mixer igain    is currently set to   0:0
Mixer ogain    is currently set to  50:50
Recording source: mic

如果麦克风没有打开,可以

IOU@~$ mixer mic 80

原文链接:http://wiki.freebsdchina.org/software/s/skype

在 FreeBSD 里我们轻松对付英文

在 FreeBSD 里我们轻松对付英文

英语是世界语,但对那些母语非英语的人们,做到熟练的读写和交流往往需要长时间的学习。

FreeBSD 提供了一些 ports,帮助我们对付英文。它们是

chinese/stardict-dict-zh_CN (英汉和汉英辞典)
textproc/sdcv (命令行查辞典)
textproc/queequeg (英文语法检查)
aspell (英文拼写检查)
reciteword(背英文单词的工具,delphij老大维护的)

我不太推荐在FreeBSD环境安装机器翻译引擎,因为现在有很多的在线服务,如 google、百度、Yahoo(babel fish)等。

随着世界文化交流的日益频繁,跨语言交流早晚要成为主流,高质量的机器翻译服务必将成为竞争之地。

日本有公司为手机通讯提供机器翻译的后台服务,这边讲日文,那边出英文。我试过它们的产品,虽然翻译质量还很幼稚,但这种服务平台已经搭建起来,只待机器翻译的研究能跨上几个台阶达到实用水平。

用 aspell 检查单词拼写

如果你使用 bash,请在 .bashrc 里加入

alias spell="aspell –lang=en -c"

检查英文文本 sample.txt 里英文单词的拼写,只需

IOU@~$ spell sample.txt

vim 里对付英文

在 .vimrc 里加入下面的设置。在 vim 里,将光标放在欲查的英文单词上,键入 ctrl+\,则 sdcv 将查阅英汉辞典,给出中文解释。

set spell         "" highlight the typos
nmap <C-\> : !sdcv -n <C-R>=expand("<cword>")<CR><CR>

emacs 里对付英文

增加 emacs 的设置,

;;;;;;;;;;;;;;;;;;;;;;;;;;;                                                                                     
;; Automatic spell check ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;
(setq-default ispell-program-name "aspell")
(autoload ‘flyspell-mode "flyspell" "On-the-fly spelling checker." t)

用 qq 检查英文语法

在 FreeBSD 网站摘录一段话, FreeBSD® is an advanced operating system for modern server, desktop, and embedded computer platforms. FreeBSD’s code base has undergone over thirty years of continuous development, improvement, and optimization. It is developed and maintained by a large team of individuals. FreeBSD provides advanced networking, impressive security features, and world class performance and is used by some of the world’s busiest web sites and most pervasive embedded networking and storage devices.

将之存为 sample.txt,然后用 queequeg 工具(简称 qq)来检查这段英文的语法。qq 有彩色的显示,来标注可能的语法错误。

IOU@~$ qq -Wall sample.txt
— sample.txt
sample.txt:0: … system for (modern server) , desktop …
sample.txt:0: (FreeBSD) Â ® …
sample.txt:0: … advanced operating (system) for modern …
sample.txt:0: … server , (desktop) , and …
sample.txt:0: … has undergone (over thirty years) of continuous …
sample.txt:0: … years of (continuous development) , improvement …
sample.txt:0: (FreeBSD) ‘s code …
sample.txt:0: … development , (improvement) , and …
sample.txt:0: … , and (optimization) .
sample.txt:0: … sites and (most pervasive embedded networking) and storage …
sample.txt:0: … , and (world class performance) and is …
sample.txt:0: FreeBSD provides (advanced networking) , impressive …
sample.txt:0: (FreeBSD) provides advanced …

原文链接:http://wiki.freebsdchina.org/doc/e/english

FreeBSD下remind的安装

FreeBSD下remind的安装

remind 是一款非常优秀的记事软件,它小巧却不失功能强大,凡是涉及时间表的事情都可以交给它来做。

下面我们将用它实现:开机时系统用语音或文字提醒今天要做的事情。步骤如下:

安装 remind

配置.reminders(我把这个文件放在/backup下,放在哪里无所谓,由用户自己定)如下:

###################################
# File: .reminders                #
# Reminder file for "remind"      #
#                                 #
# Usage:                          #
# vi /backup/.reminders           #
# chmod 644 .reminders            #
#                                 #
# To test:                        #
# remind -gaa /backup/.reminders  #
###################################
# Switch off the normal banner
BANNER Hello, IOU. Today is %w.

##########################
###### Things to do ######
##########################
REM Mon MSG The course of statistical machine learning.
REM Sat MSG The course of probability theory and mathematical statistics.
REM Sat MSG Meet the student.
REM     MSG The model of Bayesian kernel methods.

##################################
###### Sort the todo things ######
##################################
FSET sortbanner(x) iif(x == today(), "You have the following things to do.", "And, the other things %b.")

安装语音合成软件

安装 festival 和 festvox-kal16。或者 flite,它是 festival 的替代品,但体积小,效率高。

festival 是非常优秀的 text-to-speech(TTS)软件,爱丁堡大学的成果。 festvox-kal16 用的是 CMU 的词典(CMU 的语音合成和语音识别做的也特别好)。

配置 rc.conf

在/etc/rc.conf中加入

clear_tmp_enable="YES"

每次退出系统时清空 /tmp

脚本

在 /usr/local/etc/rc.d/ 中做脚本 VoiceRemind.sh,如下

#!/bin/sh
#/usr/local/etc/rc.d/VoiceRemind.sh
echo -n ‘ VoiceRemind’

case "$1" in
start)
  /usr/local/bin/remind -gaa /backup/.reminders > /tmp/.VoiceRemind
  ;;
stop)
  kill -9 `cat /var/run/remind.pid`
  ;;
*)
  echo "Usage: `basename $0` {start|stop}" >&2
  exit 64
  ;;
esac
exit 0

每次boot时,自动运行 remind 并将生成的显示存到 /tmp 下,这就是为啥要退出系统时清空 /tmp 了。当然,不这么做也行,毕竟“>”是创造新文件。不过清空 /tmp 也没啥坏处。 好了,试一下

remind /backup/.reminders | festival –tts

看是否好用。若有正确的语音提示,接着做下一步。否则,回头检查一下前面的步骤。

原文链接:http://wiki.freebsdchina.org/software/r/remind

FreeBSD下Vim的语法高亮与自动补全

FreeBSD下Vim的语法高亮与自动补全

vim 是与 emacs 齐名的超级编辑器(二者的使用哲学不同,没有高低贵贱之分)。我喜欢将 /usr/local/share/vim/vim73/colors/torte.vim 中的 ctermbg 设置为 NONE,这样 vim 就使用桌面背景显得“透明”(当然,这是假透明)。

vim 的功能十分强大,语法高亮和命令的自动补全更是不在话下。下面,我们逐一介绍它们。我们所用的 vim 版本在 7.0 以上。

语法高亮

下面,以矩阵计算工具 octave 和符号计算工具 maxima 为例,说明如何使编程语言在 vim 中语法高亮。

Octave 在 vim 中的语法高亮

我们怎么设置才能使得 vim 在编辑 foo.m 和 foo.oct 文件时做到语法高亮呢? 首先,找到文件 filetype.vim,打开它,看看后缀为 .m 和 .oct 是否被其他程序占用。 在我的 FreeBSD 中,.m 的后缀果真被 matlab 占用。matlab 没有 BSD 版本,我的机器上也没装 matlab 的 linux 版,所以干脆就把文件 filetype.vim 中的 matlab 替换为 octave。特别地,把 “*.oct” 加到 “*.m” 之后

" Octave or Objective C
au BufNewFile,BufRead *.m,*.oct         call s:FTm()

func! s:FTm()
  let n = 1
  while n < 10
    let line = getline(n)
    if line =~ ‘^\s*\(#\s*\(include\|import\)\>\|/\*\)’
      setf objc
      return
    endif
    if line =~ ‘^\s*%’
      setf octave
      return
    endif
    if line =~ ‘^\s*(\*’
      setf mma
      return
    endif
    let n = n + 1
  endwhile
  if exists("g:filetype_m")
    exe "setf " . g:filetype_m
  else
    setf octave
  endif
endfunc

把文件 octave.vim 拷贝到 syntax/matlab.vim 所在的目录。

maxima 在 vim 中的语法高亮

我希望所有后缀为 .mxm 的文件都被当做maxima文件语法高亮。

首先确保 maxima.vim 文件存在于 /usr/local/share/vim/vim72/syntax 目录下。编辑文件/usr/local/share/vim/vim72/filetype.vim,加入语句

" Maxima
au BufNewFile,BufRead *.mxm         setf maxima

命令的自动补全

到/usr/local/share/vim/vim72/autoload/目录下,看系统为哪些环境提供了命令的自动补全。也可以 locate ccomplete.vim,找到这个目录。

FreeBSD7.0下有ccomplete.vim、htmlcomplete.vim、……。然后,我们在 $HOME/.vimrc 中加入

"""""""""" 自动补全命令 """"""""""
autocmd Filetype c      set omnifunc=ccomplete#Complete
autocmd Filetype html   set omnifunc=htmlcomplete#CompleteTags
autocmd Filetype xml    set omnifunc=xmlcomplete#CompleteTags
autocmd Filetype python set omnifunc=pythoncomplete#CompleteTags
autocmd Filetype tex    set omnifunc=syntaxcomplete#Complete

.vimrc 的设置

$HOME/.vimrc 的普通设置,如下。

set nocompatible  "" not compatible with VI
set spell         "" highlight the typos
"" 在 vim 中查英文单词
nmap <C-\> : !sdcv -n <C-R>=expand("<cword>")<CR><CR>

"" Encodings and fonts
set encoding=utf-8
set fileencoding=utf-8
set fileencodings=ucs-bom,gb18030,gbk,gb2312,cp936
set termencoding=utf-8
set langmenu=zh_CN.UTF-8
language messages zh_CN.UTF-8
set guifontset=wenquanyi,-*-16-*-*-*

"" Tab and Backspace
set sw=2
set tabstop=4
set shiftwidth=4
set cindent
set smartindent
set autoindent
set backspace=indent,eol,start  "" set backspace

"" Display
set number        "" show line number
set ruler         "" always show current position
set cursorline    "" highlight the current line
set showcmd

"" Searching
set ignorecase    "" search setting
set incsearch
set hlsearch
set showmatch
set history=100
highlight Search term=reverse ctermbg=4 ctermfg=7

"" Syntax and color scheme
syntax enable
filetype plugin indent on
highlight Comment ctermfg=darkcyan
colorscheme torte

"""""""""" 自动补全命令 """"""""""
autocmd Filetype c      set omnifunc=ccomplete#Complete
autocmd Filetype html   set omnifunc=htmlcomplete#CompleteTags
autocmd Filetype xml    set omnifunc=xmlcomplete#CompleteTags
autocmd Filetype python set omnifunc=pythoncomplete#CompleteTags
autocmd Filetype tex    set omnifunc=syntaxcomplete#Complete

原文链接:http://wiki.freebsdchina.org/software/v/vim