Очередное обновление по безопасности.
FreeBSD-SA-05:21.openssl Security Advisory
The FreeBSD Project

Topic: Potential SSL 2.0 rollback

Category: contrib
Module: openssl
Announced: 2005-10-11
Credits: Yutaka Oiwa
Affects: All FreeBSD releases.
Corrected: 2005-10-11 11:52:46 UTC (RELENG_6, 6.0-STABLE)
2005-10-11 11:53:03 UTC (RELENG_6_0, 6.0-RELEASE)
2005-10-11 11:52:01 UTC (RELENG_5, 5.4-STABLE)
2005-10-11 11:52:28 UTC (RELENG_5_4, 5.4-RELEASE-p8)
2005-10-11 11:52:13 UTC (RELENG_5_3, 5.3-RELEASE-p23)
2005-10-11 11:50:50 UTC (RELENG_4, 4.11-STABLE)
2005-10-11 11:51:45 UTC (RELENG_4_11, 4.11-RELEASE-p13)
2005-10-11 11:51:20 UTC (RELENG_4_10, 4.10-RELEASE-p19)
CVE Name: CAN-2005-2969

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The OpenSSL library implements the Secure Sockets Layer and Transport
Layer Security protocols, as well as providing a large number of basic
cryptographic functions.

The Secure Sockets Layer protocol exists in two versions and includes a
mechanism for negotiating the protocol version to be used. If the
protocol is executed correctly, it is impossible for a client and
server both capable of the newer version of the protocol (SSLv3) to end
up using the older version of the protocol (SSLv2).

II. Problem Description

In order to provide bug-for-bug compatibility with Microsoft Internet
Explorer 3.02, a verification step required by the Secure Sockets Layer
protocol can be disabled by using the SSL_OP_MSIE_SSLV2_RSA_PADDING
option in OpenSSL. This option is implied by the frequently-used
SSL_OP_ALL option.

III. Impact

If the SSL_OP_MSIE_SSLV2_RSA_PADDING option is enabled in a server
application using OpenSSL, an attacker who is able to intercept and
tamper with packets transmitted between a client and the server can
cause the protocol version negotiation to result in SSLv2 being used
even when both the client and the server support SSLv3. Due to a
number of weaknesses in the SSLv2 protocol, this may allow the attacker
to read or tamper with the encrypted data being sent.

Applications which do not support SSLv2, have been configured to not
permit the use of SSLv2, or do not use the SSL_OP_MSIE_SSLV2_RSA_PADDING
or SSL_OP_ALL options are not affected.

IV. Workaround

No workaround is available.

V. Solution

NOTE WELL: The solution described below causes OpenSSL to ignore the
SSL_OP_MSIE_SSLV2_RSA_PADDING option and hence to require conformance
with the Secure Sockets Layer protocol. As a result, this solution
will reintroduce incompatibility with Microsoft Internet Explorer 3.02
and any other applications which exhibit the same protocol violation.

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, and 5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:21/openssl.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:21/openssl.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html >.

Note that any statically linked applications that are not part of the
base system (i.e. from the Ports Collection or other 3rd-party sources)
must be recompiled.

All affected applications must be restarted for them to use the
corrected library. Though not required, rebooting may be the easiest
way to accomplish this.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/crypto/openssl/crypto/opensslv.h 1.1.1.1.2.11
src/crypto/openssl/ssl/s23_srvr.c 1.2.2.6
RELENG_4_11
src/UPDATING 1.73.2.91.2.14
src/sys/conf/newvers.sh 1.44.2.39.2.17
src/crypto/openssl/crypto/opensslv.h 1.1.1.1.2.10.4.1
src/crypto/openssl/ssl/s23_srvr.c 1.2.2.5.8.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.20
src/sys/conf/newvers.sh 1.44.2.34.2.21
src/crypto/openssl/crypto/opensslv.h 1.1.1.1.2.10.2.1
src/crypto/openssl/ssl/s23_srvr.c 1.2.2.5.6.1
RELENG_5
src/crypto/openssl/crypto/opensslv.h 1.1.1.1.15.2.2
src/crypto/openssl/ssl/s23_srvr.c 1.7.6.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.17
src/sys/conf/newvers.sh 1.62.2.18.2.13
src/crypto/openssl/crypto/opensslv.h 1.1.1.15.2.1.2.1
src/crypto/openssl/ssl/s23_srvr.c 1.7.10.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.26
src/sys/conf/newvers.sh 1.62.2.15.2.28
src/crypto/openssl/crypto/opensslv.h 1.1.1.15.4.1
src/crypto/openssl/ssl/s23_srvr.c 1.7.8.1
RELENG_6
src/crypto/openssl/ssl/s23_srvr.c 1.7.12.1
src/crypto/openssl/crypto/opensslv.h 1.1.1.16.2.1
RELENG_6_0
src/UPDATING 1.416.2.3.2.1
src/crypto/openssl/crypto/opensslv.h 1.1.1.16.4.1
src/crypto/openssl/ssl/s23_srvr.c 1.7.14.1

Правильным ли будет утверждение, что в настоящий момент времени, исходный код системы, полученый по RELENG_4_11, будет аналогичныи полученому по RELENG_4 + последние заплатки по безопасности?

VGrey
Нет.
С тегом RELENG_4_11 вы получаете исходники релиза 4.11 и обновления системы по безопасности, например, 4.11-RELEASE-p13. С тегом RELENG_4 вы получаете исходники системы 4.11-STABLE, включая нетолько последние заплатки по безопасности, но и другие обновления.

То есть я так понимаю что если запускается
cvsup /usr/share/examples/cvsup/standard-supfile
в котором указано обновлять src-all до tag=RELENG_5_4 , я получу текущие апдейты для FreeBSD 5,4 (включая обновления безопасности (так называемые Security Updates), исправления утилит, расширение каких-то свойств, исправления в работе с некотрыми девайсами)

MS-aztoy
Правильно понимаете.

...сделал подобные настройки:
/etc/sysctl.conf
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

/etc/rc.conf
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
icmp_bmcastecho="YES"

...X'ы стали очень долго стратовать, KDE - минуть 7-10... в какой из строчек я 'гайки безопасности перетянул'?

Demiurg
в какой из строчек я 'гайки безопасности перетянул'?
А кто его знает?
Здается мне, что это не столько KDE виновато, сколько сами иксы, которые работают по схеме клиент-сервер и общение между компонентами иксов проходит по протоколу tpc/ip.
Попробуйте сами найти виноватую строку методом научного тыка, т.е. предваряя указанные Вами строки знаком комментария и рестартуя иксы.

Внимание!
В пакетном фильтре ipfw, входящем в состав FreeBSD 6.0, обнаружена неприятная уязвимость. Удаленный злоумышленник может вызвать отказ в обслуживании отправив специально сформированный пакет, подпадающий под "reset", "reject" или "unreach" правило фаервола.

Проблем можно избежать заменив все "reset", "reject" и "unreach" действия на "deny".

Также опубликованы еще три сообщения о незначительных проблемах безопасности во входящих в базовую поставку FreeBSD 6.0 приложений:

1. Multiple vulnerabilities cpio (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06%3A03.cpio.asc);
2. ee temporary file privilege escalation (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06%3A02.ee.asc);
3. Texindex temporary file privilege escalation (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06%3A01.texindex.asc).
(цитата из рассылки opennet (http://www.opennet.ru/opennews/art.shtml?num=6785))
Подробности:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06%3A04.ipfw.asc

Очередное обновление по безопасности.
FreeBSD-SA-06:05.80211 Security Advisory
The FreeBSD Project

Topic: IEEE 802.11 buffer overflow

Category: core
Module: net80211
Announced: 2006-01-18
Credits: Karl Janmar
Affects: FreeBSD 6.0
Corrected: 2006-01-18 09:03:15 UTC (RELENG_6, 6.0-STABLE)
2006-01-18 09:03:36 UTC (RELENG_6_0, 6.0-RELEASE-p3)
CVE Name: CVE-2006-0226

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The IEEE 802.11 network subsystem of FreeBSD implements the protocol
negotiation used for wireless networking.

II. Problem Description

An integer overflow in the handling of corrupt IEEE 802.11 beacon or
probe response frames when scanning for existing wireless networks can
result in the frame overflowing a buffer.

III. Impact

An attacker able broadcast a carefully crafted beacon or probe response
frame may be able to execute arbitrary code within the context of the
FreeBSD kernel on any system scanning for wireless networks.

IV. Workaround

No workaround is available, but systems without IEEE 802.11 hardware or
drivers loaded are not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE or to the RELENG_6_0
security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:05/80211.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:05/80211.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/net80211/ieee80211_ioctl.c 1.25.2.9
RELENG_6_0
src/UPDATING 1.416.2.3.2.8
src/sys/conf/newvers.sh 1.69.2.8.2.4
src/sys/net80211/ieee80211_ioctl.c 1.25.2.3.2.1

Очередные обновления по безопасности.
FreeBSD-SA-06:06.kmem Security Advisory
The FreeBSD Project

Topic: Local kernel memory disclosure

Category: core
Module: kernel
Announced: 2006-01-25
Credits: Xin LI, Karl Janmar
Affects: FreeBSD 5.4-STABLE and FreeBSD 6.0
Corrected: 2006-01-25 10:00:59 UTC (RELENG_6, 6.0-STABLE)
2006-01-25 10:01:26 UTC (RELENG_6_0, 6.0-RELEASE-p4)
2006-01-25 10:01:47 UTC (RELENG_5, 5.4-STABLE)
CVE Name: CVE-2006-0379, CVE-2006-0380

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The network sub-system commonly utilizes the ioctl(2) mechanism to pass
information regarding the current state and statistics of logical and
physical network devices.

II. Problem Description

A buffer allocated from the kernel stack may not be completely
initialized before being copied to userland. [CVE-2006-0379]

A logic error in computing a buffer length may allow too much data to
be copied into userland. [CVE-2006-0380]

III. Impact

Portions of kernel memory may be disclosed to local users. Such
memory might contain sensitive information, such as portions of the
file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in
some way. For example, a terminal buffer might include a user-entered
password.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the
RELENG_6_0 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.4 and 6.0
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.4-STABLE and 6.0-STABLE]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem.patch.asc

[FreeBSD 6.0-RELEASE]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem60.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem60.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/net/if_bridge.c 1.23.2.7
RELENG_6
src/sys/net/if_bridge.c 1.11.2.24
RELENG_6_0
src/UPDATING 1.416.2.3.2.9
src/sys/conf/newvers.sh 1.69.2.8.2.5
src/sys/net/if_bridge.c 1.11.2.12.2.4
src/sys/net80211/ieee80211_ioctl.c 1.25.2.3.2.2
FreeBSD-SA-06:07.pf Security Advisory
The FreeBSD Project

Topic: IP fragment handling panic in pf(4)

Category: contrib
Module: sys_contrib
Announced: 2006-01-25
Credits: Jakob Schlyter, Daniel Hartmeier
Affects: FreeBSD 5.3, FreeBSD 5.4, and FreeBSD 6.0
Corrected: 2006-01-25 10:00:59 UTC (RELENG_6, 6.0-STABLE)
2006-01-25 10:01:26 UTC (RELENG_6_0, 6.0-RELEASE-p4)
2006-01-25 10:01:47 UTC (RELENG_5, 5.4-STABLE)
2006-01-25 10:02:07 UTC (RELENG_5_4, 5.4-RELEASE-p10)
2006-01-25 10:02:27 UTC (RELENG_5_3, 5.3-RELEASE-p25)
CVE Name: CVE-2006-0381

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

pf is an Internet Protocol packet filter originally written for OpenBSD.
In addition to filtering packets, it also has packet normalization
capabilities.

II. Problem Description

A logic bug in pf's IP fragment cache may result in a packet fragment
being inserted twice, violating a kernel invariant.

III. Impact

By sending carefully crafted sequence of IP packet fragments, a remote
attacker can cause a system running pf with a ruleset containing a
'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash.

IV. Workaround

Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules
on systems running pf. In most cases, such rules can be replaced by
'scrub fragment reassemble' rules; see the pf.conf(5) manual page for
more details.

Systems which do not use pf, or use pf but do not use the aforementioned
rules, are not affected by this issue.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the
RELENG_6_0, RELENG_5_4, or RELENG_5_3 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3, 5.4,
and 6.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:07/pf.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:07/pf.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/contrib/pf/net/pf_norm.c 1.10.2.2
RELENG_5_4
src/UPDATING 1.342.2.24.2.19
src/sys/conf/newvers.sh 1.62.2.18.2.15
src/sys/contrib/pf/net/pf_norm.c 1.10.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.28
src/sys/conf/newvers.sh 1.62.2.15.2.30
src/sys/contrib/pf/net/pf_norm.c 1.10.4.1
RELENG_6
src/sys/contrib/pf/net/pf_norm.c 1.11.2.3
RELENG_6_0
src/UPDATING 1.416.2.3.2.9
src/sys/conf/newvers.sh 1.69.2.8.2.5
src/sys/contrib/pf/net/pf_norm.c 1.11.2.1.2.1

Очередное обновление по безопасности. Затрагивает пятую ветку.
FreeBSD-SA-06:08.sack Security Advisory
The FreeBSD Project

Topic: Infinite loop in SACK handling

Category: core
Module: netinet
Announced: 2006-02-01
Credits: Scott Wood
Affects: FreeBSD 5.3 and 5.4
Corrected: 2006-01-24 01:16:18 UTC (RELENG_5, 5.4-STABLE)
2006-02-01 19:43:10 UTC (RELENG_5_4, 5.4-RELEASE-p11)
2006-02-01 19:43:36 UTC (RELENG_5_3, 5.3-RELEASE-p26)
CVE Name: CVE-2006-0433

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

SACK (Selective Acknowledgement) is an extension to the TCP/IP protocol
that allows hosts to acknowledge the receipt of some, but not all, of
the packets sent, thereby reducing the cost of retransmissions.

II. Problem Description

When insufficient memory is available to handle an incoming selective
acknowledgement, the TCP/IP stack may enter an infinite loop.

III. Impact

By opening a TCP connection and sending a carefully crafted series of
packets, an attacker may be able to cause a denial of service.

IV. Workaround

On FreeBSD 5.4, the net.inet.tcp.sack.enable sysctl can be used to
disable the use of SACK:

# sysctl net.inet.tcp.sack.enable=0

No workaround is available for FreeBSD 5.3.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE or to the RELENG_5_4 or
RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patch have been verified to apply to FreeBSD 5.3 and
5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:08/sack.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:08/sack.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/netinet/tcp_sack.c 1.3.2.10
RELENG_5_4
src/UPDATING 1.342.2.24.2.20
src/sys/conf/newvers.sh 1.62.2.18.2.16
src/sys/netinet/tcp_sack.c 1.3.2.5.2.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.29
src/sys/conf/newvers.sh 1.62.2.15.2.31
src/sys/netinet/tcp_sack.c 1.3.4.1

Очередные обновления по безопасности:
FreeBSD-SA-06:09.openssh (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:09.openssh.asc)
FreeBSD-SA-06:10.nfs (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:10.nfs.asc)

Очередные обновления по безопасности:
FreeBSD-SA-06:11.ipsec (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:11.ipsec.asc)
FreeBSD-SA-06:12.opie (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:12.opie.asc)
FreeBSD-SA-06:13.sendmail (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:13.sendmail.asc)

Очередное обновление по безопасности:
FreeBSD-SA-06:14.fpu (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:14.fpu.asc)

Очередные обновления по безопасности:
FreeBSD-SA-06:15.ypserv (http://security.freebsd.org/advisories/FreeBSD-SA-06:15.ypserv.asc)
FreeBSD-SA-06:16.smbfs (http://security.freebsd.org/advisories/FreeBSD-SA-06:16.smbfs.asc)

Очередное обновление по безопасности:
FreeBSD-SA-06:17.sendmail (http://security.freebsd.org/advisories/FreeBSD-SA-06:17.sendmail.asc)

Очередное обновление по безопасности:
FreeBSD-SA-06:21.gzip (http://security.freebsd.org/advisories/FreeBSD-SA-06:21.gzip.asc)

Очередное обновление по безопасности (FreeBSD-SA-06:23.openssl).
Описание и методы устранения уязвимости читать тут (http://security.FreeBSD.org/advisories/FreeBSD-SA-06:23.openssl.asc)
В догонку - FreeBSD-SA-06:22 (http://security.FreeBSD.org/advisories/FreeBSD-SA-06:22.openssh.asc)

Очередная уязвимость - FreeBSD-SA-06:24.libarchive.
Описание и методы устранения уязвимости читать тут (http://security.freebsd.org/advisories/FreeBSD-SA-06:24.libarchive.asc)
В догонку - FreeBSD-SA-06:22

Очередные обновления по безопасности.
FreeBSD-SA-06:25.kmem (http://security.freebsd.org/advisories/FreeBSD-SA-06:25.kmem.asc)
FreeBSD-SA-06:26.gtar (http://security.freebsd.org/advisories/FreeBSD-SA-06:26.gtar.asc)