Компьютерный форум OSzone.net  

Компьютерный форум OSzone.net (http://forum.oszone.net/index.php)
-   Общий по FreeBSD (http://forum.oszone.net/forumdisplay.php?f=10)
-   -   вопросы безопасности (http://forum.oszone.net/showthread.php?t=15254)

mar 28-06-2004 14:09 82123

Обнаружена уязвимость в FreeBSD 5.1 execve(). Локальный атакующий может вызвать отказ в обслуживании системы. Подробности c SecurityLab

Guest 01-07-2004 20:04 82124

А там всё на английском. Простому русскому человеку как понять? Ведь тема достаточно интересная...

mar 01-07-2004 20:16 82125

Guest а как простой русский человек собирается во free жить? в смысле с доками разбираться? ихмо без английского никуда :o

mar 03-07-2004 11:59 82126

к предыдущей заметке (уязвимость в FreeBSD 5.1 execve().)
Уязвимы системы:
FreeBSD 5.1-RELEASE/Alpha. Возможно другие версии
FreeBSD 5.1-RELEASE/IA32 не уязвима.
Насчет других архитектур - неизвестно, но возможна уязвимость.
Риск: низкий
Уязвимость локальная
дата: 23 июня 2004
описание:
Возможна атака на ядро FreeBSD/Alpha при специальном обращении к системному вызову execve().
Приведен разбор кодов и заплатка

продолжим :type:
2004-06-30 В коде ядра выявлена уязвимость в совместимости с Linux-приложениями (Linux binary compatibility mode input validation error), затрагивающая все версии 4.x и 5.x *:
Во FreeBSD, как известно, обеспечивается совместимость с бинарным кодом Linux при помощи подгружаемых модулей.
Выявленна ошибка получения некоторых системных вызовов Linux, что может привести к получению доступа к памяти без достаточной валидации.
При локальной атаке возможно чтение и/или перезапись участков памяти ядра (portions of kernel memory), *что может привести выявлению значимой информации, или к потенциальной возможности повышения привелегий. Локальная атака может вызвать сбой в системе (system panic).
Как с этим бороться:
1) внимательно прочесть документацию (ссылка дана наверху)
2) до обновления можно запретть совместимость с Linux-приложениями, выгрузив соответствующий модуль
3) обновить систему до сегодняшних 4-STABLE; или *RELENG_5_2,
RELENG_4_10, RELENG_4_9, или RELENG_4_8 security branch
4) или, как вариант - пропатчить систему:
a) скачать заплатку по одной из приведенных ссылок и проверить PGP-подпись
b) поставить заплатку:
# cd /usr/src
# patch < /path/to/patch
с) перекомпилировать ядро и перезагрузить систему

NB!!! рекомендуется внимательно ознакомится с версиями и именами заменяемых исходных файлов, а также с PGP-подписью (все данные - все по той же ссылке)


[s]Исправлено: mar, 12:16 3-07-2004[/s]


[s]Исправлено: mar, 12:20 3-07-2004[/s]

Demiurg 25-07-2004 11:34 82127

...существует некоторая программа freebsd-update, которая, как я понимаю (я не где не ошибся?) и патчит все дырки известные на данный момент... единственный минус - при перекомпилировании чего-либо (что раньше было подправлено freebsd-update'ом) процедуру freebsd-update'ирования придется повторять...

Belansky 25-07-2004 15:29 82128

Demiurg
Не freebsd-update, а в каталоге /usr/src/ make update. Читайте комментарии в /usr/src/Makefile.

Demiurg 26-07-2004 09:00 82129

...на сколько я помню - она так и называется (FreeBSD 5.2.1)... помнится сам её из портов ставил... и помнится она также и в 5.1 называлась...

mar 26-07-2004 14:35 82130

есть такая партия: /usr/ports/security/freebsd-update - но, насколько я понимаю, в отличие от make update тут Вы получите (скачаете и установите) бинарники. То есть могут возникнуть проблемы с какими-то индивидуальными сборками (?).

[s]Исправлено: mar, 14:36 26-07-2004[/s]

Demiurg 27-07-2004 00:22 82131

...как я понимаю, make update можно сделать и в /usr/src/sys... не потянет ли это ядро целиком из инета?.. или только изминившиеся ветки исходных текстов?..

Belansky 28-07-2004 10:59 82132

Demiurg
Будут закачаны только обновления, а не весь код целиком.

Demiurg 30-07-2004 00:28 82133

...а как лучше (ради стабильности системы), обновлять только ядро или и все системные библиотеки и программы... что лучше (самое необходимое) поместить в /usr/src чтобы после апдейтов проблем поменьше возникало?..

UE 03-08-2004 16:47 82134

А скажите как на ваш взгляд есть ли смысл обновляться с freeBSD 5.2.1 release? Там глюки с ACPI. И я так понял что обновлять лучше world а не только ядро верно? Хотя я пожалуй подожду 5.x STABLE. Разработчики обещали что вблизи 5.2 будет STABLE в доках ../share/doc/..

Belansky 03-08-2004 17:44 82135

Верно. При разбалансировке версии world и kernel система вообще может отказаться работать.
А переход 5.x в категорию stable ожидается к осени.

UE 04-08-2004 18:13 82136

Отлично буду ждать с нетерпением ! :up: :oszone:

Belansky 06-08-2004 17:22 82137

UE
Читайте о планах по выпуску FreeBSD 5.3-STABLE здесь.

Belansky 26-08-2004 18:45 82138

Наблюдал 26.08.2004 г. в 18.30 непонятную вещь на ftp.freebsd.org. С фтпишника полностью исчезли порты и дистфайлы, зато виден каталог /etc/ и в нем база данных с паролями для доступа к ftp. Однако. :confused:

Добавлено:

В 18.45 уже исправили. Но, кому-то, как мне, повезти могло утащить пароли для доступа в ftp.

Добавлено:

19.15. Неполадки продолжаются. Полностью исчез каталог /pub/, а каталог /etc/ виден.

Добавлено:

19.29. Вроде, все встало на места.

mar 29-08-2004 00:14 82139

хм... а во frebsd=ых рассылках ничего не было :confused:

Belansky 29-08-2004 01:03 82140

Ну, тем неменее. Глазам своим я еще верю... И наркотиками или там галюциногенами какими никогда не пользовался.

mar 30-08-2004 01:30 82141

Belansky
дык я тебе тоже верю :), а вот FreeBSD ну просто очень бы хотелось доверять :o

Belansky 30-08-2004 09:36 82142

30.08.2004 г. 09 ч. 34 мин. И опять тоже самое. Причем проверял с трех машин. Каталог /etc/ лежит, как на ладони. Непонятно, однако.

mar 30-08-2004 09:52 82143

Belansky
наверное, надо во FreeBSD.org все это отписать

Belansky 30-08-2004 10:18 82144

Хотя, посмотрел на других фтпишниках, например, ftp.relcom.ru, каталог /etc/ также виден. Может, ничего страшного в этом и нет.

mar 30-08-2004 23:38 82145

Belansky
вообще-то /etc на ftp раньше бывали видны всегда. Файл паролей там бывал без реальных паролей и без реальных пользователей, так что показ его ничему не грозил :) Вопрос в другом - насколько я поняла, там что-то странное творилось? (хотя, может быть просто переконфигуряли на глазах изумленной публики).

Belansky 01-09-2004 12:03 82146

Два дня, как все встало на места. Видимо, и впрямь что-то конфигурили на ходу.

mar 24-11-2004 11:37 274970

FreeBSD-SA-04:16: fetch - Overflow error in fetch (переполнение буфера в fetch) - сообщение от 19.11.04 (со ссылкой на http://www.freebsd.org/security/ )
- уязвимы: все версии FreeBSD
- Исправлено:
2004-11-18 12:02:13 UTC (RELENG_5, 5.3-STABLE)
2004-11-18 12:03:05 UTC (RELENG_5_3, 5.3-RELEASE-p1)
2004-11-18 12:04:29 UTC (RELENG_5_2, 5.2.1-RELEASE-p12)
2004-11-18 12:05:36 UTC (RELENG_5_1, 5.1-RELEASE-p18)
2004-11-18 12:05:50 UTC (RELENG_5_0, 5.0-RELEASE-p22)
2004-11-18 12:02:29 UTC (RELENG_4, 4.10-STABLE)
2004-11-18 12:06:06 UTC (RELENG_4_10, 4.10-RELEASE-p4)
2004-11-18 12:06:22 UTC (RELENG_4_9, 4.9-RELEASE-p13)
2004-11-18 12:06:36 UTC (RELENG_4_8, 4.8-RELEASE-p26)
2004-11-18 12:06:52 UTC (RELENG_4_7, 4.7-RELEASE-p28)

Что делать:
Либо:
1) Обновить систему до 4-STABLE, или 5-STABLE, или RELENG_5_3, RELENG_5_2, RELENG_4_10, RELENG_4_8 (на дату после указанной выше)
Либо:
2) "пропатчить" систему (FreeBSD 4.8, 4.10, 5.2, 5.3):

a) Скачайте соответствующий patch по прилагаемой ссылке и сверьте PGP - подпись при помощи утилиты PGP.

# ftp ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...16/fetch.patch
# ftp ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...etch.patch.asc

b) Выполните (от root ) следующие команды:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.bin/fetch
# make obj && make depend && make && make install

Детали исправлений (что, где, когда)

Branch Revision Path

RELENG_4
src/usr.bin/fetch/fetch.c 1.10.2.28
RELENG_4_10
src/UPDATING 1.73.2.90.2.5
src/sys/conf/newvers.sh 1.44.2.34.2.6
src/usr.bin/fetch/fetch.c 1.10.2.23.2.1
RELENG_4_9
src/UPDATING 1.73.2.89.2.14
src/sys/conf/newvers.sh 1.44.2.32.2.14
src/usr.bin/fetch/fetch.c 1.10.2.21.2.1
RELENG_4_8
src/UPDATING 1.73.2.80.2.29
src/sys/conf/newvers.sh 1.44.2.29.2.27
src/usr.bin/fetch/fetch.c 1.10.2.20.2.1
RELENG_4_7
src/UPDATING 1.73.2.74.2.32
src/sys/conf/newvers.sh 1.44.2.26.2.30
src/usr.bin/fetch/fetch.c 1.10.2.18.2.1
RELENG_5
src/usr.bin/fetch/fetch.c 1.72.2.2
RELENG_5_3
src/UPDATING 1.342.2.13.2.4
src/sys/conf/newvers.sh 1.62.2.15.2.6
src/usr.bin/fetch/fetch.c 1.72.2.1.2.1
RELENG_5_2
src/UPDATING 1.282.2.20
src/sys/conf/newvers.sh 1.56.2.19
src/usr.bin/fetch/fetch.c 1.62.4.1
RELENG_5_1
src/UPDATING 1.251.2.20
src/sys/conf/newvers.sh 1.50.2.20
src/usr.bin/fetch/fetch.c 1.62.2.1
RELENG_5_0
src/UPDATING 1.229.2.28
src/sys/conf/newvers.sh 1.48.2.23
src/usr.bin/fetch/fetch.c 1.58.2.1

Belansky 02-12-2004 19:41 277373

Новое обновление по безопасности для всех версий FreeBSD
ftp://ftp.freebsd.org/pub/FreeBSD/CE...:17.procfs.asc

Demiurg 28-02-2005 23:18 302354

...есть подозрение, что на одной машине стоит backdoor... как узнать, какой именно процесс "ломится" через ppp в инет?

misher 01-03-2005 11:23 302473

Demiurg
Может следует использовать sockstat
и посмотреть что за процессы конектятся
в сеть.

У тебя ppp -auto ...?
Просто был у меня случай. Вначале dns
сервер посылал udp пакеты. Потом
после еще оказалось что само ядро
тоже шлет пакет на multycast адрес (непомню какой, но это был не backdoor)
Вобщем если sockstat непоможет
рекомендую просмотреть спомошью tcpdump.

Belansky 31-03-2005 23:13 311831

Очередной патч по безопасности закрывающий брешь в клиенте telnet, способную привести к ошибке переполнения буфера.

Belansky 07-04-2005 18:11 313756

Два патча по безопасности. ftp://ftp.freebsd.org/pub/FreeBSD/CE...2.sendfile.asc и ftp://ftp.freebsd.org/pub/FreeBSD/CE...5:03.amd64.asc

Belansky 17-04-2005 08:45 316469

И снова патч по безопасности. При генерации списка сетевых интерфейсов ядро пишет в часть буфера, не обнуляя ее. В результате предыдущее содержимое буфера может быть доступно процессу. Процесс пользователя может получить доступ к 12 байтам данных. Эта память может содержать такую информацию, как части кэша файла или буфера терминала (например, в буфере терминала может находится пароль пользователя).

Belansky 25-04-2005 10:54 318904

Очередной патч по безопасности.

archy 06-05-2005 11:14 322153

[1] FreeBSD-SA-05:08.kmem
[2] FreeBSD-SA-05:07.ldt
[3] FreeBSD-SA-05:06.iir

Belansky 14-05-2005 08:50 324008

Очередной патч по безопасности.

mar 09-06-2005 20:34 331543

Из freebsd-security-notifications@freebsd.org
Цитата:

=============================================================================
Message: 1
FreeBSD-SA-05:10.tcpdump Security Advisory
The FreeBSD Project

Topic: Infinite loops in tcpdump protocol decoding

Category: contrib
Module: tcpdump
Announced: 2005-06-09
Credits: "Vade 79", Simon L. Nielsen
Affects: FreeBSD 5.3-RELEASE and FreeBSD 5.4-RELEASE
Corrected: 2005-06-08 21:26:27 UTC (RELENG_5, 5.4-STABLE)
2005-06-08 21:27:44 UTC (RELENG_5_4, 5.4-RELEASE-p2)
2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16)
CVE Name: CAN-2005-1267, CAN-2005-1278, CAN-2005-1279, CAN-2005-1280

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The tcpdump utility is used to capture and examine network traffic.

II. Problem Description

Several tcpdump protocol decoders contain programming errors which can
cause them to go into infinite loops.

III. Impact

An attacker can inject specially crafted packets into the network
which, when processed by tcpdump, could lead to a denial-of-service.
After the attack, tcpdump would no longer capture traffic, and would
potentially use all available processor time.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4
or RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3 and
5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE.../tcpdump.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...dump.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/tcpdump/tcpdump
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/contrib/tcpdump/print-bgp.c 1.1.1.5.2.1
src/contrib/tcpdump/print-isoclns.c 1.12.2.1
src/contrib/tcpdump/print-ldp.c 1.1.1.1.2.1
src/contrib/tcpdump/print-rsvp.c 1.1.1.1.2.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.11
src/sys/conf/newvers.sh 1.62.2.18.2.7
src/contrib/tcpdump/print-bgp.c 1.1.1.5.6.1
src/contrib/tcpdump/print-isoclns.c 1.12.6.1
src/contrib/tcpdump/print-ldp.c 1.1.1.1.6.1
src/contrib/tcpdump/print-rsvp.c 1.1.1.1.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.19
src/sys/conf/newvers.sh 1.62.2.15.2.21
src/contrib/tcpdump/print-bgp.c 1.1.1.5.4.1
src/contrib/tcpdump/print-isoclns.c 1.12.4.1
src/contrib/tcpdump/print-ldp.c 1.1.1.1.4.1
src/contrib/tcpdump/print-rsvp.c 1.1.1.1.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1267
http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1278
http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1279
http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1280
http://marc.theaimsgroup.com/?l=bugt...11454406222040
http://marc.theaimsgroup.com/?l=bugt...11454461300644

=============================================================================
Message: 2


FreeBSD-SA-05:11.gzip Security Advisory
The FreeBSD Project

Topic: gzip directory traversal and permission race vulnerabilities

Category: contrib
Module: gzip
Announced: 2005-06-09
Credits: Ulf Harnhammar, Imran Ghory
Affects: All FreeBSD releases
Corrected: 2005-06-08 21:26:27 UTC (RELENG_5, 5.4-STABLE)
2005-06-08 21:27:44 UTC (RELENG_5_4, 5.4-RELEASE-p2)
2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16)
2005-06-08 21:29:53 UTC (RELENG_4, 4.11-STABLE)
2005-06-08 21:30:43 UTC (RELENG_4_11, 4.11-RELEASE-p10)
2005-06-08 21:31:16 UTC (RELENG_4_10, 4.10-RELEASE-p15)
CVE Name: CAN-2005-0988, CAN-2005-1228

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

gzip is a file compression utility.

II. Problem Description

Two problems related to extraction of files exist in gzip:

The first problem is that gzip does not properly sanitize filenames
containing "/" when uncompressing files using the -N command line
option.

The second problem is that gzip does not set permissions on newly
extracted files until after the file has been created and the file
descriptor has been closed.

III. Impact

The first problem can allow an attacker to overwrite arbitrary local
files when uncompressing a file using the -N command line option.

The second problem can allow a local attacker to change the
permissions of arbitrary local files, on the same partition as the one
the user is uncompressing a file on, by removing the file the user is
uncompressing and replacing it with a hardlink before the uncompress
operation is finished.

IV. Workaround

Do not use the -N command line option on untrusted files and do not
uncompress files in directories where untrusted users have write
access.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, and 5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...:11/gzip.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...gzip.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/gzip
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
-------------------------------------------------------------------------
RELENG_4
src/gnu/usr.bin/gzip/gzip.c 1.10.2.1
RELENG_4_11
src/UPDATING 1.73.2.91.2.11
src/sys/conf/newvers.sh 1.44.2.39.2.14
src/gnu/usr.bin/gzip/gzip.c 1.10.26.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.16
src/sys/conf/newvers.sh 1.44.2.34.2.17
src/gnu/usr.bin/gzip/gzip.c 1.10.24.1
RELENG_5
src/gnu/usr.bin/gzip/gzip.c 1.11.2.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.11
src/sys/conf/newvers.sh 1.62.2.18.2.7
src/gnu/usr.bin/gzip/gzip.c 1.11.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.19
src/sys/conf/newvers.sh 1.62.2.15.2.21
src/gnu/usr.bin/gzip/gzip.c 1.11.4.1
-------------------------------------------------------------------------
VII. References

http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-0988
http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1228
http://marc.theaimsgroup.com/?l=bugt...11271860708210
http://marc.theaimsgroup.com/?l=bugt...11402732406477


mar 09-06-2005 20:35 331544

Продолжение (опять bind)
=============================================================================
Message: 3
FreeBSD-SA-05:12.bind9 Security Advisory
The FreeBSD Project

Topic: BIND 9 DNSSEC remote denial of service vulnerability

Category: core
Module: bind9
Announced: 2005-06-09
Credits: Internet Systems Consortium
Affects: FreeBSD 5.3
Corrected: 2005-03-23 18:16:29 UTC (RELENG_5, 5.3-STABLE)
2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16)
CVE Name: CAN-2005-0034

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is the Internet domain name server. DNS Security
Extensions (DNSSEC) are additional protocol options that add
authentication and integrity to the DNS protocols.

DNSSEC is not enabled by default in any FreeBSD release. A system
administrator must take special action to enable DNSSEC.

II. Problem Description

A DNSSEC-related validator function in BIND 9.3.0 contains an
inappropriate internal consistency test. When this test is triggered,
named(8) will exit.

III. Impact

On systems with DNSSEC enabled, a remote attacker may be able to inject
a specially crafted packet that will cause the internal consistency test
to trigger, and named(8) to terminate. As a result, the name server
will no longer be available to service requests.

IV. Workaround

DNSSEC is not enabled by default, and the "dnssec-enable" directive is
not normally present. If DNSSEC has been enabled, disable it by
changing the "dnssec-enable" directive to "dnssec-enable no;" in the
named.conf(5) configuration file.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_3
security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...12/bind9.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...ind9.patch.asc

b) Execute the following commands as root:

# cd /usr/src/
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
-------------------------------------------------------------------------
RELENG_5
src/contrib/bind9/lib/dns/validator.c 1.1.1.1.2.2
RELENG_5_3
src/UPDATING 1.342.2.13.2.19
src/sys/conf/newvers.sh 1.62.2.15.2.21
src/contrib/bind9/lib/dns/validator.c 1.1.1.1.2.1.2.1
-------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-0034
http://www.kb.cert.org/vuls/id/938617
http://www.isc.org/index.pl?/sw/bind/bind-security.php
http://www.isc.org/index.pl?/sw/bind/bind9.php

mar 30-06-2005 21:55 337327

Цитата:

----------------------------------------------------------------------
Message: 1
Date: Wed, 29 Jun 2005 21:54:54 GMT
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-05:13.ipfw
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Message-ID: <200506292154.j5TLssOf008150@freefall.freebsd.org>
=============================================================================
FreeBSD-SA-05:13.ipfw Security Advisory
The FreeBSD Project

Topic: ipfw packet matching errors with address tables

Category: core
Module: netinet
Announced: 2005-06-29
Credits: Max Laier
Affects: FreeBSD 5.4-RELEASE
Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE)
2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3)
CVE Name: CAN-2005-2019

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

ipfw(8) is a system facility which allows IP packet filtering,
redirecting, and traffic accounting. ipfw lookup tables are a way to
specify many IP addresses which can be used for packet matching in an
efficient manner.

II. Problem Description

The ipfw tables lookup code caches the result of the last query. The
kernel may process multiple packets concurrently, performing several
concurrent table lookups. Due to an insufficient locking, a cached
result can become corrupted that could cause some addresses to be
incorrectly matched against a lookup table.

III. Impact

When lookup tables are used with ipfw, packets may on very rare
occasions incorrectly match a lookup table. This could result in a
packet being treated contrary to the defined packet filtering ruleset.
For example, a packet may be allowed to pass through when it should
have been discarded.

The problem can only occur on Symmetric Multi-Processor (SMP) systems,
or on Uni Processor (UP) systems with the PREEMPTION kernel option
enabled (not the default).

IV. Workaround

a) Do not use lookup tables.

OR

b) Disable concurrent processing of packets in the network stack by
setting the "debug.mpsafenet=0" tunable:

# echo "debug.mpsafenet=0" >> /boot/loader.conf

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4
security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.4
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...:13/ipfw.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...ipfw.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/netinet/ip_fw2.c 1.70.2.14
RELENG_5_4
src/UPDATING 1.342.2.24.2.12
src/sys/conf/newvers.sh 1.62.2.18.2.8
src/sys/netinet/ip_fw2.c 1.70.2.10.2.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-2019

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CE...05:13.ipfw.asc

mar 30-06-2005 21:56 337328

Цитата:

essage: 2
Date: Wed, 29 Jun 2005 21:55:00 GMT
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-05:14.bzip2
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Message-ID: <200506292155.j5TLt0cj008194@freefall.freebsd.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:14.bzip2 Security Advisory
The FreeBSD Project

Topic: bzip2 denial of service and permission race vulnerabilities

Category: contrib
Module: contrib_bzip2
Announced: 2005-06-29
Credits: Imran Ghory, Chris Evans
Affects: All FreeBSD releases
Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE)
2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3)
2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17)
2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE)
2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11)
2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16)
CVE Name: CAN-2005-0953, CAN-2005-1260

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

bzip2 is a block-sorting file compression utility.

II. Problem Description

Two problems have been discovered relating to the extraction of
bzip2-compressed files. First, a carefully constructed invalid bzip2
archive can cause bzip2 to enter an infinite loop. Second, when
creating a new file, bzip2 closes the file before setting its
permissions.

III. Impact

The first problem can cause bzip2 to extract a bzip2 archive to an
infinitely large file. If bzip2 is used in automated processing of
untrusted files this could be exploited by an attacker to create an
denial-of-service situation by exhausting disk space or by consuming
all available cpu time.

The second problem can allow a local attacker to change the
permissions of local files owned by the user executing bzip2 providing
that they have write access to the directory in which the file is
being extracted.

IV. Workaround

Do not uncompress bzip2 archives from untrusted sources and do not
uncompress files in directories where untrusted users have write
access.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, and 5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...14/bzip2.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...zip2.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libbz2
# make obj && make depend && make && make install
# cd /usr/src/usr.bin/bzip2
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
contrib/bzip2/bzip2.c 1.1.1.1.2.3
contrib/bzip2/bzlib.c 1.1.1.1.2.3
contrib/bzip2/compress.c 1.1.1.1.2.3
contrib/bzip2/decompress.c 1.1.1.1.2.3
contrib/bzip2/huffman.c 1.1.1.1.2.3
RELENG_4_11
src/UPDATING 1.73.2.91.2.12
src/sys/conf/newvers.sh 1.44.2.39.2.15
contrib/bzip2/bzip2.c 1.1.1.1.2.2.12.1
contrib/bzip2/bzlib.c 1.1.1.1.2.2.12.1
contrib/bzip2/compress.c 1.1.1.1.2.2.12.1
contrib/bzip2/decompress.c 1.1.1.1.2.2.12.1
contrib/bzip2/huffman.c 1.1.1.1.2.2.12.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.17
src/sys/conf/newvers.sh 1.44.2.34.2.18
contrib/bzip2/bzip2.c 1.1.1.1.2.2.10.1
contrib/bzip2/bzlib.c 1.1.1.1.2.2.10.1
contrib/bzip2/compress.c 1.1.1.1.2.2.10.1
contrib/bzip2/decompress.c 1.1.1.1.2.2.10.1
contrib/bzip2/huffman.c 1.1.1.1.2.2.10.1
RELENG_5
contrib/bzip2/bzip2.c 1.1.1.2.8.1
contrib/bzip2/bzlib.c 1.1.1.2.8.1
contrib/bzip2/compress.c 1.1.1.2.8.1
contrib/bzip2/decompress.c 1.1.1.2.8.1
contrib/bzip2/huffman.c 1.1.1.2.8.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.12
src/sys/conf/newvers.sh 1.62.2.18.2.8
contrib/bzip2/bzip2.c 1.1.1.2.12.1
contrib/bzip2/bzlib.c 1.1.1.2.12.1
contrib/bzip2/compress.c 1.1.1.2.12.1
contrib/bzip2/decompress.c 1.1.1.2.12.1
contrib/bzip2/huffman.c 1.1.1.2.12.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.20
src/sys/conf/newvers.sh 1.62.2.15.2.22
contrib/bzip2/bzip2.c 1.1.1.2.10.1
contrib/bzip2/bzlib.c 1.1.1.2.10.1
contrib/bzip2/compress.c 1.1.1.2.10.1
contrib/bzip2/decompress.c 1.1.1.2.10.1
contrib/bzip2/huffman.c 1.1.1.2.10.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-0953
http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1260
http://marc.theaimsgroup.com/?l=bugt...11229375217633
http://scary.beasts.org/security/CESA-2005-002.txt

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CE...05:14.bzip.asc

mar 30-06-2005 21:56 337329

Цитата:

: 2
Date: Wed, 29 Jun 2005 21:55:00 GMT
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-05:14.bzip2
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Message-ID: <200506292155.j5TLt0cj008194@freefall.freebsd.org>

=============================================================================
FreeBSD-SA-05:14.bzip2 Security Advisory
The FreeBSD Project

Topic: bzip2 denial of service and permission race vulnerabilities

Category: contrib
Module: contrib_bzip2
Announced: 2005-06-29
Credits: Imran Ghory, Chris Evans
Affects: All FreeBSD releases
Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE)
2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3)
2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17)
2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE)
2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11)
2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16)
CVE Name: CAN-2005-0953, CAN-2005-1260

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

bzip2 is a block-sorting file compression utility.

II. Problem Description

Two problems have been discovered relating to the extraction of
bzip2-compressed files. First, a carefully constructed invalid bzip2
archive can cause bzip2 to enter an infinite loop. Second, when
creating a new file, bzip2 closes the file before setting its
permissions.

III. Impact

The first problem can cause bzip2 to extract a bzip2 archive to an
infinitely large file. If bzip2 is used in automated processing of
untrusted files this could be exploited by an attacker to create an
denial-of-service situation by exhausting disk space or by consuming
all available cpu time.

The second problem can allow a local attacker to change the
permissions of local files owned by the user executing bzip2 providing
that they have write access to the directory in which the file is
being extracted.

IV. Workaround

Do not uncompress bzip2 archives from untrusted sources and do not
uncompress files in directories where untrusted users have write
access.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, and 5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...14/bzip2.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...zip2.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libbz2
# make obj && make depend && make && make install
# cd /usr/src/usr.bin/bzip2
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
contrib/bzip2/bzip2.c 1.1.1.1.2.3
contrib/bzip2/bzlib.c 1.1.1.1.2.3
contrib/bzip2/compress.c 1.1.1.1.2.3
contrib/bzip2/decompress.c 1.1.1.1.2.3
contrib/bzip2/huffman.c 1.1.1.1.2.3
RELENG_4_11
src/UPDATING 1.73.2.91.2.12
src/sys/conf/newvers.sh 1.44.2.39.2.15
contrib/bzip2/bzip2.c 1.1.1.1.2.2.12.1
contrib/bzip2/bzlib.c 1.1.1.1.2.2.12.1
contrib/bzip2/compress.c 1.1.1.1.2.2.12.1
contrib/bzip2/decompress.c 1.1.1.1.2.2.12.1
contrib/bzip2/huffman.c 1.1.1.1.2.2.12.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.17
src/sys/conf/newvers.sh 1.44.2.34.2.18
contrib/bzip2/bzip2.c 1.1.1.1.2.2.10.1
contrib/bzip2/bzlib.c 1.1.1.1.2.2.10.1
contrib/bzip2/compress.c 1.1.1.1.2.2.10.1
contrib/bzip2/decompress.c 1.1.1.1.2.2.10.1
contrib/bzip2/huffman.c 1.1.1.1.2.2.10.1
RELENG_5
contrib/bzip2/bzip2.c 1.1.1.2.8.1
contrib/bzip2/bzlib.c 1.1.1.2.8.1
contrib/bzip2/compress.c 1.1.1.2.8.1
contrib/bzip2/decompress.c 1.1.1.2.8.1
contrib/bzip2/huffman.c 1.1.1.2.8.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.12
src/sys/conf/newvers.sh 1.62.2.18.2.8
contrib/bzip2/bzip2.c 1.1.1.2.12.1
contrib/bzip2/bzlib.c 1.1.1.2.12.1
contrib/bzip2/compress.c 1.1.1.2.12.1
contrib/bzip2/decompress.c 1.1.1.2.12.1
contrib/bzip2/huffman.c 1.1.1.2.12.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.20
src/sys/conf/newvers.sh 1.62.2.15.2.22
contrib/bzip2/bzip2.c 1.1.1.2.10.1
contrib/bzip2/bzlib.c 1.1.1.2.10.1
contrib/bzip2/compress.c 1.1.1.2.10.1
contrib/bzip2/decompress.c 1.1.1.2.10.1
contrib/bzip2/huffman.c 1.1.1.2.10.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-0953
http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1260
http://marc.theaimsgroup.com/?l=bugt...11229375217633
http://scary.beasts.org/security/CESA-2005-002.txt

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CE...05:14.bzip.asc

mar 30-06-2005 21:57 337330

Цитата:

Message: 3
Date: Wed, 29 Jun 2005 21:55:05 GMT
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-05:15.tcp
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Message-ID: <200506292155.j5TLt5ig008238@freefall.freebsd.org>

=============================================================================
FreeBSD-SA-05:15.tcp Security Advisory
The FreeBSD Project

Topic: TCP connection stall denial of service

Category: core
Module: inet
Announced: 2005-06-29
Credits: Noritoshi Demizu
Affects: All FreeBSD releases.
Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE)
2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3)
2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17)
2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE)
2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11)
2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16)
CVE Name: CAN-2005-0356, CAN-2005-2068

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service. TCP timestamps are used to measure Round-Trip Time
and in the Protect Against Wrapped Sequences (PAWS) algorithm. TCP
packets with the SYN flag set are used during setup of new TCP
connections.

II. Problem Description

Two problems have been discovered in the FreeBSD TCP stack.

First, when a TCP packets containing a timestamp is received, inadequate
checking of sequence numbers is performed, allowing an attacker to
artificially increase the internal "recent" timestamp for a connection.

Second, a TCP packet with the SYN flag set is accepted for established
connections, allowing an attacker to overwrite certain TCP options.

III. Impact

Using either of the two problems an attacker with knowledge of the
local and remote IP and port numbers associated with a connection
can cause a denial of service situation by stalling the TCP connection.
The stalled TCP connection my be closed after some time by the other
host.

IV. Workaround

In some cases it may be possible to defend against these attacks by
blocking the attack packets using a firewall. Packets used to effect
either of these attacks would have spoofed source IP addresses.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, and 5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...:15/tcp4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...tcp4.patch.asc

[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...5:15/tcp.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE.../tcp.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/sys/netinet/tcp_input.c 1.107.2.44
RELENG_4_11
src/UPDATING 1.73.2.91.2.12
src/sys/conf/newvers.sh 1.44.2.39.2.15
src/sys/netinet/tcp_input.c 1.107.2.41.4.3
RELENG_4_10
src/UPDATING 1.73.2.90.2.17
src/sys/conf/newvers.sh 1.44.2.34.2.18
src/sys/netinet/tcp_input.c 1.107.2.41.2.1
RELENG_5
src/sys/netinet/tcp_input.c 1.252.2.16
RELENG_5_4
src/UPDATING 1.342.2.24.2.12
src/sys/conf/newvers.sh 1.62.2.18.2.8
src/sys/netinet/tcp_input.c 1.252.2.14.2.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.20
src/sys/conf/newvers.sh 1.62.2.15.2.22
src/sys/netinet/tcp_input.c 1.252.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-0356
http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-2068
http://www.kb.cert.org/vuls/id/637934

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CE...-05:15.tcp.asc

SantaXP 04-07-2005 02:40 338141

Хм... Слушайте, раз уж тема так называется - мне очень не хочется, чтобы мою систему кто-нить хакнул, поэтому - подскажите какую прогу, с помощью которой можно было бы искать руткиты и т.д. То есть, чтобы она как ipfw работала на фоне и не давала никому взломать мою Фри. :)

mar 04-07-2005 12:13 338231

SantaXP
вообще-то FreeBSD неплохо защищена по-дефолту, но ежели хочется дополнений (в том числе по руткитам):
1) смотрим какой у Вас стоит securelevel и рихтуем, если надо
2) расставляем (если надо) и куда считаем нужным флаг schg
3) в /etc/fstab для /tmp устанавливаем: rw,noexec,nosuid,nodev,nosymfollow и nodev на все места, где не нужны dev (а не нужны они нигде, кроме /dev и мест, где организуется chroot, или jail-среда)
4) Если стоит ipfw, убедитесь в том, что у Вас на вход закрыто все, кроме необходимого, а большая часть необходимого открывается изнутри по запросу (динамические правила)
5) Правим /etc/sysctl.conf (защищаемся от DOS-атак, превращаем машину в черную дыру для nmap и Ko и т.д.)
Цитата:

# Предотвращение DoS атак в FreeBSD
net.inet.tcp.msl=время # время ожидания ACK в ответ на SYN-ACK или FIN-ACK в миллисекундах
net.inet.tcp.blackhole=2 # blackhole pings, traceroutes, etc. - все пакеты на закрытый порт отбрасываются без отсылки RST; (черная дыра)
net.inet.udp.blackhole=1 # отбрасывать пакеты для закрытых портов;
net.inet.icmp.icmplim=50 # защита от генерирование потока ответных пакетов,
#- максимальное количество ICMP Unreachable и TCP RST пакетов в секунду
6) если установлен демон ssh,
3-1) - правим (и проверяем /etc/ssh/sshd_config, обращаем внимание:
Цитата:

Port 22 # или тот, на котором хотите слушать
AllowUsers SantaXP # только этому пользователю
PermitEmptyPasswords no # нет пустым паролям (по-дефолту)
PermitRootLogin no # никаких рутовых входов (по-дефолту)
+ смотрите, что Вам кажется более безопасным - ключи, или пароли
3-2) правим /etc/hosts.allow, разрешая вход по ssh только с определенных ip (заодно правим нужное для других демонов)
7) Ставим программу portsentry и настраиваем ее на блокировку атакующих хостов (чтоб больше не лезли)
8) Установливаем программу chkrootkit и припишите в crontab:
Цитата:

0 3 * * * root (/usr/local/sbin/chkrootkit -q 2>&1 | mail -s "chkrootkit output" root)
9) не забываем читать логи (в aliases прописываем root: свой ник и даем команду newaliases
На самом деле можно защищаться и сильнее, вопрос, насколько это нужно (одно дело защита firewall, другое - внутреннего сервера, третье - рабочей машины :))

Belansky 05-07-2005 09:04 338457

SantaXP
Если Вас заинтересовали вопросы безопасности, можете почитать статью Дрю Лавинь "Защита от троянов и руткитов."

mar 05-07-2005 11:02 338501

в дополнние - еще несколько ссылок:
http://www.freebsd.org/security/security.html - FreeBSD Security Information
+ лучше бы подписаться на freebsd-security-notifications@freebsd.org (есть и другие листки рассылки)
Увеличение безопасности FreeBSD (советую читать вместе с обсуждениями - ссылки там же)
man 8 sshd
man 8 init

SantaXP 05-07-2005 19:21 338635

mar
Спасибо, будет время почитаю. :)
----
Хм... А ещё вопрос насчёт безопастности, а куда можно записать правила для ipfw, ибо я их записал в sh скрипт, но уже замучился его каждый раз вызывать...
----
Кстати, раз уж тема так называется - а почему считатеся, что сидеть в иксах под рутом - это суицид. И вообще, каким образом Иксы влия.т на безопастность???

bdancer 05-07-2005 21:13 338653

SantaXP
По-дефолту слушают 6000 порт

mar 06-07-2005 02:21 338717

SantaXP
Цитата:

Спасибо, будет время почитаю
вперед :) хотя кое-что (настроечные файлы см. выше пункты 1-9) стоит почитать заранее ;]


Цитата:

куда можно записать правила для ipfw
в /etc/rc.conf можно вставить строки:
Цитата:

firewall_enable="YES" #Запускаем при старте работу ipfw
firewall_script="путь_к_файлу_со_скриптом" #Скрипт с правилами ipfw
Насчет рута: вообще работать под рутом без надобности (не только в иксах) - это путь к суициду (системы). Мне приходилось помогать человеку восстанавливать систему после того, как он снес каталог /bin Как Вам такое? =) Ну, а в иксах еще проще, наверное, кликая мышкой, сделать что-нибуь не менее фатальное (все-таки, когда человек вводит команду в командной строке, есть ненулевой шанс задуматься :))
Ну, и, как всегда, на закуску несколько ссылок:
http://www.linux.org.ru/books/lor-fa...12.html#ss12.7
http://www.linuxforum.ru/lofiversion...php/t3638.html

SantaXP 06-07-2005 21:24 338970

firewall_enable="YES" #Запускаем при старте работу ipfw
firewall_script="путь_к_файлу_со_скриптом" #Скрипт с правилами ipfw
Хм... У меня это указано... Хе... Дык, там стоит firewall_script="/etc/rc.firewall", видимо туда и надо записывать... А если указать на другой файл, я файрвол не испрчю, а то у меня есть подозрение, что /etc/rc.firewall содержит ещё кое-что необходимое для работы ipfw???

mar 06-07-2005 23:41 339006

SantaXP
Цитата:

А если указать на другой файл, я файрвол не испрчю
не испортите, просто будут выполняться только те условия, которые в Вашем файле (или правьте /etc/rc.firewall - только сохраните оригинал =))

Belansky 08-07-2005 12:23 339417

Очередной патч по безопасности.
Цитата:

FreeBSD-SA-05:16.zlib Security Advisory
The FreeBSD Project

Topic: Buffer overflow in zlib

Category: core
Module: libz
Announced: 2005-07-06
Credits: Tavis Ormandy
Affects: FreeBSD 5.3, FreeBSD 5.4
Corrected: 2005-07-06 14:01:11 UTC (RELENG_5, 5.4-STABLE)
2005-07-06 14:01:30 UTC (RELENG_5_4, 5.4-RELEASE-p4)
2005-07-06 14:01:52 UTC (RELENG_5_3, 5.3-RELEASE-p18)
CVE Name: CAN-2005-2096

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

zlib is a compression library used by numerous applications to provide
data compression/decompression routines.

II. Problem Description

An error in the handling of corrupt compressed data streams can result
in a buffer being overflowed.

III. Impact

By carefully crafting a corrupt compressed data stream, an attacker can
overwrite data structures in a zlib-using application. This may cause
the application to halt, causing a denial of service; or it may result
in the attacker gaining elevated privileges.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4 or
RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 5.3 and 5.4
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...:16/zlib.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...zlib.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libz/
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/lib/libz/inftrees.c 1.4.2.2
RELENG_5_4
src/UPDATING 1.342.2.24.2.13
src/sys/conf/newvers.sh 1.62.2.18.2.9
src/lib/libz/inftrees.c 1.4.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.21
src/sys/conf/newvers.sh 1.62.2.15.2.23
src/lib/libz/inftrees.c 1.4.4.1

SantaXP 08-07-2005 14:50 339472

Belansky
А эти патчи, они устанавливаются каждый по отдельности или последующий содержит все остальные изменения в системе из предыдущих???
И ещё - их инсталить обязательно? Насколько их неналичие на компе может отразиться на безопастности системы???

Belansky 08-07-2005 20:03 339577

SantaXP
Цитата:

А эти патчи, они устанавливаются каждый по отдельности или последующий содержит все остальные изменения в системе из предыдущих???
Каждый сам за себя. :) Тут нет понятия куммулятивных патчей, как в Windows. Каждый патч накладывается отдельно и пересобирается какая-либо часть системы. Либо, в результате обновления системы через cvsup измененные версии пропатченных файлов автоматически размещаются среди исходного кода системы. И тогда остается только пересобрать систему посредством make buildworld, make buildkernell и т.д.
Цитата:

И ещё - их инсталить обязательно? Насколько их неналичие на компе может отразиться на безопастности системы???
А это хозяин - барин. :) Критичность обнаруженной дыры смотрите в описании к патчу. В плане безопасности лучше перебдеть, чем недобдеть. :)

SantaXP 08-07-2005 22:46 339604

Belansky
Слушайте, вы я думаю в курсе, что у меня модем. Посему, вытянет ли мой модем при средней скорости от 4 до 6 (правда однажды было и 7, но не долго :) ) kb/s обновление системы через cvsup???
----
оффтоп: я многое слышал про cvsup, однако, что это а штука пока не понял. Это что-то вроде средства автоматизированного обновления системы???

Belansky 09-07-2005 09:42 339697

SantaXP
Цитата:

вытянет ли мой модем при средней скорости от 4 до 6 kb/s обновление системы через cvsup?
Легко и непринужденно. Дома у меня тоже dialup. Минут за 15-20 вся процедура заканчивается.
Цитата:

Это что-то вроде средства автоматизированного обновления системы?
Это средство синхронизации исходников системы и коллекции портов с удаленным cvsup-сервером по состоянию на какой-либо момент времени. Если прописать работу cvsup через cron, то будет автоматизированным средством. Подробнее о cvsup читайте в руководстве пользователя. И в разделе эта тему уже неоднократно обсуждалась.

SantaXP 09-07-2005 22:14 339818

Belansky
ОК, будет время - поищу спасибо... :)

Belansky 22-07-2005 08:40 342842

Очередное обновление по безопасности ftp://ftp.freebsd.org/pub/FreeBSD/CE...5:17.devfs.asc
Цитата:

FreeBSD-SA-05:17.devfs Security Advisory
The FreeBSD Project

Topic: devfs ruleset bypass

Category: core
Module: devfs
Announced: 2005-07-20
Credits: Robert Watson
Affects: All FreeBSD 5.x releases
Corrected: 2005-07-20 13:35:44 UTC (RELENG_5, 5.4-STABLE)
2005-07-20 13:36:32 UTC (RELENG_5_4, 5.4-RELEASE-p5)
2005-07-20 13:37:27 UTC (RELENG_5_3, 5.3-RELEASE-p19)
CVE Name: CAN-2005-2218

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.

The device file system, or devfs(5), provides access to kernel's device
namespace in the global file system namespace. This includes access to
to system devices such as storage devices, kernel and system memory
devices, BPF devices, and serial port devices. Devfs is is generally
mounted as /dev. Devfs rulesets allow an administrator to hide
certain device nodes; this is most commonly applied to a devfs mounted
for use inside a jail, in order to make devices inaccessible to
processes within that jail.

II. Problem Description

Due to insufficient parameter checking of the node type during device
creation, any user can expose hidden device nodes on devfs mounted
file systems within their jail. Device nodes will be created in the
jail with their normal default access permissions.

III. Impact

Jailed processes can get access to restricted resources on the host
system. For jailed processes running with superuser privileges this
implies access to all devices on the system. This level of access
can lead to information leakage and privilege escalation.

IV. Workaround

Unmount device file systems mounted inside jails. Note that certain
device nodes, such as /dev/null, may be required for some software to
function correctly.

This can be done by executing the following command as root:

umount -A -t devfs

Also, remove or comment out any lines in fstab(5) that reference
`devfs' and has a mount point within a jail, so that they will not be
re-mounted at next reboot.

Some device file systems might be busy, including the host's main /dev
file system, and processes accessing these must be shut down before
the device file system can be unmounted. The hosts main device file
system, mounted as /dev, should not be unmounted since it is required
for normal system operation.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4,
or RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3, and
5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...17/devfs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...evfs.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/fs/devfs/devfs_vnops.c 1.73.2.2
RELENG_5_4
src/UPDATING 1.342.2.24.2.14
src/sys/conf/newvers.sh 1.62.2.18.2.10
src/sys/fs/devfs/devfs_vnops.c 1.73.2.1.2.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.22
src/sys/conf/newvers.sh 1.62.2.15.2.24
src/sys/fs/devfs/devfs_vnops.c 1.73.4.1

Belansky 27-07-2005 23:27 344026

Очередные обновления по безопасности.
ftp://ftp.freebsd.org/pub/FreeBSD/CE...05:18.zlib.asc
Цитата:

FreeBSD-SA-05:18.zlib Security Advisory
The FreeBSD Project

Topic: Buffer overflow in zlib

Category: core
Module: libz
Announced: 2005-07-27
Credits: Markus Oberhumer
Affects: FreeBSD 5.3, FreeBSD 5.4
Corrected: 2005-07-27 08:41:44 UTC (RELENG_6, 6.0-BETA2)
2005-07-27 08:41:56 UTC (RELENG_5, 5.4-STABLE)
2005-07-27 08:42:16 UTC (RELENG_5_4, 5.4-RELEASE-p6)
2005-07-27 08:42:38 UTC (RELENG_5_3, 5.3-RELEASE-p20)
CVE Name: CAN-2005-1849

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

NOTE WELL: The issue discussed in this advisory is distinct from the
issue discussed in the earlier advisory FreeBSD-SA-05:16.zlib, although
the impact is very similar.

I. Background

zlib is a compression library used by numerous applications to provide
data compression/decompression routines.

II. Problem Description

A fixed-size buffer is used in the decompression of data streams. Due
to erronous analysis performed when zlib was written, this buffer,
which was belived to be sufficiently large to handle any possible input
stream, is in fact too small.

III. Impact

A carefully constructed compressed data stream can result in zlib
overwriting some data structures. This may cause applications to halt,
resulting in a denial of service; or it may result in an attacker
gaining elevated privileges.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4 or
RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3, and 5.4
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...:18/zlib.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...zlib.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libz/
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/lib/libz/inftrees.h 1.1.1.5.2.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.15
src/sys/conf/newvers.sh 1.62.2.18.2.11
src/lib/libz/inftrees.h 1.1.1.5.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.23
src/sys/conf/newvers.sh 1.62.2.15.2.25
src/lib/libz/inftrees.h 1.1.1.5.4.1
RELENG_6
src/lib/libz/inftrees.h 1.1.1.5.8.1
И еще.
ftp://ftp.freebsd.org/pub/FreeBSD/CE...5:19.ipsec.asc
Цитата:

FreeBSD-SA-05:19.ipsec Security Advisory
The FreeBSD Project

Topic: Incorrect key usage in AES-XCBC-MAC

Category: core
Module: netinet6
Announced: 2005-07-27
Credits: Yukiyo Akisada, Yokogawa Electric Corporation
Affects: FreeBSD 5.3, FreeBSD 5.4
Corrected: 2005-07-27 08:41:44 UTC (RELENG_6, 6.0-BETA2)
2005-07-27 08:41:56 UTC (RELENG_5, 5.4-STABLE)
2005-07-27 08:42:16 UTC (RELENG_5_4, 5.4-RELEASE-p6)
2005-07-27 08:42:38 UTC (RELENG_5_3, 5.3-RELEASE-p20)
CVE Name: CAN-2005-2359

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

IPsec is a security protocol for the Internet Protocol networking
layer. It provides a combination of encryption and authentication of
system, using several possible cryptography algorithms.

II. Problem Description

A programming error in the implementation of the AES-XCBC-MAC algorithm
for authentication resulted in a constant key being used instead of the
key specified by the system administrator.

III. Impact

If the AES-XCBC-MAC algorithm is used for authentication in the absence
of any encryption, then an attacker may be able to forge packets which
appear to originate from a different system and thereby succeed in
establishing an IPsec session. If access to sensitive information or
systems is controlled based on the identity of the source system, this
may result in information disclosure or privilege escalation.

IV. Workaround

Do not use the AES-XCBC-MAC algorithm for authentication, or use it
together with some form of IPsec encryption.

Systems which do not use IPsec, use other algorithms, or have IPsec
encryption enabled are unaffected by this issue.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4 or
RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3 and 5.4
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...19/ipsec.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...psec.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/netinet6/ah_aesxcbcmac.c 1.1.4.2
RELENG_5_4
src/UPDATING 1.342.2.24.2.15
src/sys/conf/newvers.sh 1.62.2.18.2.11
src/sys/netinet6/ah_aesxcbcmac.c 1.1.4.1.2.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.23
src/sys/conf/newvers.sh 1.62.2.15.2.25
src/sys/netinet6/ah_aesxcbcmac.c 1.1.6.1
RELENG_6
src/sys/netinet6/ah_aesxcbcmac.c 1.2.2.1

Demiurg 01-08-2005 09:53 345041

В системе по умолчанию присутствует второй root - toor. Вопрос такой: какой у него пароль по умолчанию, и, если этого пользователя убрать, нарушится ли какая-то функциональность в системе? Нужно ли после 'отчисления' этого пользователя перестраивать базу данных паролей?

Belansky 01-08-2005 10:38 345063

Demiurg
По поводу пользователя toor почитайте здесь и здесь.

Belansky 13-09-2005 09:21 355091

Что-то у нас упорно про заплатку от седьмого сентября сего года молчат? :)
Цитата:

FreeBSD-SA-05:20.cvsbug Security Advisory
The FreeBSD Project

Topic: Race condition in cvsbug

Category: contrib
Module: contrib_cvs
Announced: 2005-09-07
Credits: Marcus Meissner
Affects: All FreeBSD releases
Corrected: 2005-09-07 13:43:05 UTC (RELENG_6, 6.0-BETA5)
2005-09-07 13:43:23 UTC (RELENG_5, 5.4-STABLE)
2005-09-07 13:43:36 UTC (RELENG_5_4, 5.4-RELEASE-p7)
2005-09-09 19:26:19 UTC (RELENG_5_3, 5.3-RELEASE-p22)
2005-09-07 13:44:06 UTC (RELENG_4, 4.11-STABLE)
2005-09-07 13:44:20 UTC (RELENG_4_11, 4.11-RELEASE-p12)
2005-09-09 19:24:22 UTC (RELENG_4_10, 4.10-RELEASE-p18)
CVE Name: CAN-2005-2693

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

0. Revision History

v1.0 2005-07-07 Initial release.
v1.1 2005-07-09 Additional related issues fixed in FreeBSD 4.10 and 5.3.

I. Background

cvsbug(1) is a utility for reporting problems in the CVS revision
control system. It is based on the GNATS send-pr(1) utility.

II. Problem Description

A temporary file is created, used, deleted, and then re-created with
the same name. This creates a window during which an attacker could
replace the file with a link to another file. While cvsbug(1) is based
on the send-pr(1) utility, this problem does not exist in the version
of send-pr(1) distributed with FreeBSD.

In FreeBSD 4.10 and 5.3, some additional problems exist concerning
temporary file usage in both cvsbug(1) and send-pr(1).

III. Impact

A local attacker could cause data to be written to any file to which
the user running cvsbug(1) (or send-pr(1) in FreeBSD 4.10 and 5.3) has
write access. This may cause damage in itself (e.g., by destroying
important system files or documents) or may be used to obtain elevated
privileges.

IV. Workaround

Do not use the cvsbug(1) utility on any system with untrusted users.

Do not use the send-pr(1) utility on a FreeBSD 4.10 or 5.3 system with
untrusted users.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, and 5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.10]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...vsbug410.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...g410.patch.asc

[FreeBSD 5.3]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...cvsbug53.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...ug53.patch.asc

[FreeBSD 4.11 and 5.4]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...0/cvsbug.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...sbug.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/cvs/cvsbug
# make obj && make depend && make && make install
# cd /usr/src/gnu/usr.bin/send-pr
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.4
RELENG_4_11
src/UPDATING 1.73.2.91.2.13
src/sys/conf/newvers.sh 1.44.2.39.2.16
src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.3.2.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.19
src/sys/conf/newvers.sh 1.44.2.34.2.20
src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.2.6.2
src/gnu/usr.bin/send-pr/send-pr.sh 1.13.2.13.2.1
RELENG_5
src/contrib/cvs/src/cvsbug.in 1.1.1.3.2.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.16
src/sys/conf/newvers.sh 1.62.2.18.2.12
src/contrib/cvs/src/cvsbug.in 1.1.1.3.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.25
src/sys/conf/newvers.sh 1.62.2.15.2.27
src/contrib/cvs/src/cvsbug.in 1.1.1.3.4.1
src/gnu/usr.bin/send-pr/send-pr.sh 1.35.6.1
RELENG_6
src/contrib/cvs/src/cvsbug.in 1.1.1.3.8.1

Belansky 16-10-2005 08:59 364661

Очередное обновление по безопасности.
Цитата:

FreeBSD-SA-05:21.openssl Security Advisory
The FreeBSD Project

Topic: Potential SSL 2.0 rollback

Category: contrib
Module: openssl
Announced: 2005-10-11
Credits: Yutaka Oiwa
Affects: All FreeBSD releases.
Corrected: 2005-10-11 11:52:46 UTC (RELENG_6, 6.0-STABLE)
2005-10-11 11:53:03 UTC (RELENG_6_0, 6.0-RELEASE)
2005-10-11 11:52:01 UTC (RELENG_5, 5.4-STABLE)
2005-10-11 11:52:28 UTC (RELENG_5_4, 5.4-RELEASE-p8)
2005-10-11 11:52:13 UTC (RELENG_5_3, 5.3-RELEASE-p23)
2005-10-11 11:50:50 UTC (RELENG_4, 4.11-STABLE)
2005-10-11 11:51:45 UTC (RELENG_4_11, 4.11-RELEASE-p13)
2005-10-11 11:51:20 UTC (RELENG_4_10, 4.10-RELEASE-p19)
CVE Name: CAN-2005-2969

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The OpenSSL library implements the Secure Sockets Layer and Transport
Layer Security protocols, as well as providing a large number of basic
cryptographic functions.

The Secure Sockets Layer protocol exists in two versions and includes a
mechanism for negotiating the protocol version to be used. If the
protocol is executed correctly, it is impossible for a client and
server both capable of the newer version of the protocol (SSLv3) to end
up using the older version of the protocol (SSLv2).

II. Problem Description

In order to provide bug-for-bug compatibility with Microsoft Internet
Explorer 3.02, a verification step required by the Secure Sockets Layer
protocol can be disabled by using the SSL_OP_MSIE_SSLV2_RSA_PADDING
option in OpenSSL. This option is implied by the frequently-used
SSL_OP_ALL option.

III. Impact

If the SSL_OP_MSIE_SSLV2_RSA_PADDING option is enabled in a server
application using OpenSSL, an attacker who is able to intercept and
tamper with packets transmitted between a client and the server can
cause the protocol version negotiation to result in SSLv2 being used
even when both the client and the server support SSLv3. Due to a
number of weaknesses in the SSLv2 protocol, this may allow the attacker
to read or tamper with the encrypted data being sent.

Applications which do not support SSLv2, have been configured to not
permit the use of SSLv2, or do not use the SSL_OP_MSIE_SSLV2_RSA_PADDING
or SSL_OP_ALL options are not affected.

IV. Workaround

No workaround is available.

V. Solution

NOTE WELL: The solution described below causes OpenSSL to ignore the
SSL_OP_MSIE_SSLV2_RSA_PADDING option and hence to require conformance
with the Secure Sockets Layer protocol. As a result, this solution
will reintroduce incompatibility with Microsoft Internet Explorer 3.02
and any other applications which exhibit the same protocol violation.

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, and 5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE.../openssl.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...nssl.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/doc/en_US.ISO...makeworld.html >.

Note that any statically linked applications that are not part of the
base system (i.e. from the Ports Collection or other 3rd-party sources)
must be recompiled.

All affected applications must be restarted for them to use the
corrected library. Though not required, rebooting may be the easiest
way to accomplish this.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/crypto/openssl/crypto/opensslv.h 1.1.1.1.2.11
src/crypto/openssl/ssl/s23_srvr.c 1.2.2.6
RELENG_4_11
src/UPDATING 1.73.2.91.2.14
src/sys/conf/newvers.sh 1.44.2.39.2.17
src/crypto/openssl/crypto/opensslv.h 1.1.1.1.2.10.4.1
src/crypto/openssl/ssl/s23_srvr.c 1.2.2.5.8.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.20
src/sys/conf/newvers.sh 1.44.2.34.2.21
src/crypto/openssl/crypto/opensslv.h 1.1.1.1.2.10.2.1
src/crypto/openssl/ssl/s23_srvr.c 1.2.2.5.6.1
RELENG_5
src/crypto/openssl/crypto/opensslv.h 1.1.1.1.15.2.2
src/crypto/openssl/ssl/s23_srvr.c 1.7.6.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.17
src/sys/conf/newvers.sh 1.62.2.18.2.13
src/crypto/openssl/crypto/opensslv.h 1.1.1.15.2.1.2.1
src/crypto/openssl/ssl/s23_srvr.c 1.7.10.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.26
src/sys/conf/newvers.sh 1.62.2.15.2.28
src/crypto/openssl/crypto/opensslv.h 1.1.1.15.4.1
src/crypto/openssl/ssl/s23_srvr.c 1.7.8.1
RELENG_6
src/crypto/openssl/ssl/s23_srvr.c 1.7.12.1
src/crypto/openssl/crypto/opensslv.h 1.1.1.16.2.1
RELENG_6_0
src/UPDATING 1.416.2.3.2.1
src/crypto/openssl/crypto/opensslv.h 1.1.1.16.4.1
src/crypto/openssl/ssl/s23_srvr.c 1.7.14.1

VGrey 23-10-2005 11:42 366907

Cvsup исходников системы...
 
Правильным ли будет утверждение, что в настоящий момент времени, исходный код системы, полученый по RELENG_4_11, будет аналогичныи полученому по RELENG_4 + последние заплатки по безопасности?

Belansky 24-10-2005 11:00 367127

VGrey
Нет.
С тегом RELENG_4_11 вы получаете исходники релиза 4.11 и обновления системы по безопасности, например, 4.11-RELEASE-p13. С тегом RELENG_4 вы получаете исходники системы 4.11-STABLE, включая нетолько последние заплатки по безопасности, но и другие обновления.

MS-aztoy 19-11-2005 22:18 375790

То есть я так понимаю что если запускается
cvsup /usr/share/examples/cvsup/standard-supfile
в котором указано обновлять src-all до tag=RELENG_5_4 , я получу текущие апдейты для FreeBSD 5,4 (включая обновления безопасности (так называемые Security Updates), исправления утилит, расширение каких-то свойств, исправления в работе с некотрыми девайсами)


Belansky 22-11-2005 19:52 376660

MS-aztoy
Правильно понимаете.

Demiurg 30-11-2005 14:50 378798

...сделал подобные настройки:
/etc/sysctl.conf
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

/etc/rc.conf
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
icmp_bmcastecho="YES"

...X'ы стали очень долго стратовать, KDE - минуть 7-10... в какой из строчек я 'гайки безопасности перетянул'?

Belansky 01-12-2005 10:28 379029

Demiurg
Цитата:

в какой из строчек я 'гайки безопасности перетянул'?
А кто его знает?
Здается мне, что это не столько KDE виновато, сколько сами иксы, которые работают по схеме клиент-сервер и общение между компонентами иксов проходит по протоколу tpc/ip.
Попробуйте сами найти виноватую строку методом научного тыка, т.е. предваряя указанные Вами строки знаком комментария и рестартуя иксы.

mar 13-01-2006 12:44 391909

Внимание!
Цитата:

В пакетном фильтре ipfw, входящем в состав FreeBSD 6.0, обнаружена неприятная уязвимость. Удаленный злоумышленник может вызвать отказ в обслуживании отправив специально сформированный пакет, подпадающий под "reset", "reject" или "unreach" правило фаервола.

Проблем можно избежать заменив все "reset", "reject" и "unreach" действия на "deny".

Также опубликованы еще три сообщения о незначительных проблемах безопасности во входящих в базовую поставку FreeBSD 6.0 приложений:

1. Multiple vulnerabilities cpio;
2. ee temporary file privilege escalation;
3. Texindex temporary file privilege escalation.
(цитата из рассылки opennet)
Подробности:
ftp://ftp.freebsd.org/pub/FreeBSD/CE...%3A04.ipfw.asc

Belansky 20-01-2006 12:07 395059

Очередное обновление по безопасности.
Цитата:

FreeBSD-SA-06:05.80211 Security Advisory
The FreeBSD Project

Topic: IEEE 802.11 buffer overflow

Category: core
Module: net80211
Announced: 2006-01-18
Credits: Karl Janmar
Affects: FreeBSD 6.0
Corrected: 2006-01-18 09:03:15 UTC (RELENG_6, 6.0-STABLE)
2006-01-18 09:03:36 UTC (RELENG_6_0, 6.0-RELEASE-p3)
CVE Name: CVE-2006-0226

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The IEEE 802.11 network subsystem of FreeBSD implements the protocol
negotiation used for wireless networking.

II. Problem Description

An integer overflow in the handling of corrupt IEEE 802.11 beacon or
probe response frames when scanning for existing wireless networks can
result in the frame overflowing a buffer.

III. Impact

An attacker able broadcast a carefully crafted beacon or probe response
frame may be able to execute arbitrary code within the context of the
FreeBSD kernel on any system scanning for wireless networks.

IV. Workaround

No workaround is available, but systems without IEEE 802.11 hardware or
drivers loaded are not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE or to the RELENG_6_0
security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...05/80211.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...0211.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/net80211/ieee80211_ioctl.c 1.25.2.9
RELENG_6_0
src/UPDATING 1.416.2.3.2.8
src/sys/conf/newvers.sh 1.69.2.8.2.4
src/sys/net80211/ieee80211_ioctl.c 1.25.2.3.2.1

Belansky 25-01-2006 15:24 397031

Очередные обновления по безопасности.
Цитата:

FreeBSD-SA-06:06.kmem Security Advisory
The FreeBSD Project

Topic: Local kernel memory disclosure

Category: core
Module: kernel
Announced: 2006-01-25
Credits: Xin LI, Karl Janmar
Affects: FreeBSD 5.4-STABLE and FreeBSD 6.0
Corrected: 2006-01-25 10:00:59 UTC (RELENG_6, 6.0-STABLE)
2006-01-25 10:01:26 UTC (RELENG_6_0, 6.0-RELEASE-p4)
2006-01-25 10:01:47 UTC (RELENG_5, 5.4-STABLE)
CVE Name: CVE-2006-0379, CVE-2006-0380

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The network sub-system commonly utilizes the ioctl(2) mechanism to pass
information regarding the current state and statistics of logical and
physical network devices.

II. Problem Description

A buffer allocated from the kernel stack may not be completely
initialized before being copied to userland. [CVE-2006-0379]

A logic error in computing a buffer length may allow too much data to
be copied into userland. [CVE-2006-0380]

III. Impact

Portions of kernel memory may be disclosed to local users. Such
memory might contain sensitive information, such as portions of the
file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in
some way. For example, a terminal buffer might include a user-entered
password.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the
RELENG_6_0 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.4 and 6.0
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.4-STABLE and 6.0-STABLE]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...:06/kmem.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...kmem.patch.asc

[FreeBSD 6.0-RELEASE]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...6/kmem60.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...em60.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/net/if_bridge.c 1.23.2.7
RELENG_6
src/sys/net/if_bridge.c 1.11.2.24
RELENG_6_0
src/UPDATING 1.416.2.3.2.9
src/sys/conf/newvers.sh 1.69.2.8.2.5
src/sys/net/if_bridge.c 1.11.2.12.2.4
src/sys/net80211/ieee80211_ioctl.c 1.25.2.3.2.2
Цитата:

FreeBSD-SA-06:07.pf Security Advisory
The FreeBSD Project

Topic: IP fragment handling panic in pf(4)

Category: contrib
Module: sys_contrib
Announced: 2006-01-25
Credits: Jakob Schlyter, Daniel Hartmeier
Affects: FreeBSD 5.3, FreeBSD 5.4, and FreeBSD 6.0
Corrected: 2006-01-25 10:00:59 UTC (RELENG_6, 6.0-STABLE)
2006-01-25 10:01:26 UTC (RELENG_6_0, 6.0-RELEASE-p4)
2006-01-25 10:01:47 UTC (RELENG_5, 5.4-STABLE)
2006-01-25 10:02:07 UTC (RELENG_5_4, 5.4-RELEASE-p10)
2006-01-25 10:02:27 UTC (RELENG_5_3, 5.3-RELEASE-p25)
CVE Name: CVE-2006-0381

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

pf is an Internet Protocol packet filter originally written for OpenBSD.
In addition to filtering packets, it also has packet normalization
capabilities.

II. Problem Description

A logic bug in pf's IP fragment cache may result in a packet fragment
being inserted twice, violating a kernel invariant.

III. Impact

By sending carefully crafted sequence of IP packet fragments, a remote
attacker can cause a system running pf with a ruleset containing a
'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash.

IV. Workaround

Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules
on systems running pf. In most cases, such rules can be replaced by
'scrub fragment reassemble' rules; see the pf.conf(5) manual page for
more details.

Systems which do not use pf, or use pf but do not use the aforementioned
rules, are not affected by this issue.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the
RELENG_6_0, RELENG_5_4, or RELENG_5_3 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3, 5.4,
and 6.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...06:07/pf.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...7/pf.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/contrib/pf/net/pf_norm.c 1.10.2.2
RELENG_5_4
src/UPDATING 1.342.2.24.2.19
src/sys/conf/newvers.sh 1.62.2.18.2.15
src/sys/contrib/pf/net/pf_norm.c 1.10.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.28
src/sys/conf/newvers.sh 1.62.2.15.2.30
src/sys/contrib/pf/net/pf_norm.c 1.10.4.1
RELENG_6
src/sys/contrib/pf/net/pf_norm.c 1.11.2.3
RELENG_6_0
src/UPDATING 1.416.2.3.2.9
src/sys/conf/newvers.sh 1.69.2.8.2.5
src/sys/contrib/pf/net/pf_norm.c 1.11.2.1.2.1

Belansky 03-02-2006 11:48 400372

Очередное обновление по безопасности. Затрагивает пятую ветку.
Цитата:

FreeBSD-SA-06:08.sack Security Advisory
The FreeBSD Project

Topic: Infinite loop in SACK handling

Category: core
Module: netinet
Announced: 2006-02-01
Credits: Scott Wood
Affects: FreeBSD 5.3 and 5.4
Corrected: 2006-01-24 01:16:18 UTC (RELENG_5, 5.4-STABLE)
2006-02-01 19:43:10 UTC (RELENG_5_4, 5.4-RELEASE-p11)
2006-02-01 19:43:36 UTC (RELENG_5_3, 5.3-RELEASE-p26)
CVE Name: CVE-2006-0433

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

SACK (Selective Acknowledgement) is an extension to the TCP/IP protocol
that allows hosts to acknowledge the receipt of some, but not all, of
the packets sent, thereby reducing the cost of retransmissions.

II. Problem Description

When insufficient memory is available to handle an incoming selective
acknowledgement, the TCP/IP stack may enter an infinite loop.

III. Impact

By opening a TCP connection and sending a carefully crafted series of
packets, an attacker may be able to cause a denial of service.

IV. Workaround

On FreeBSD 5.4, the net.inet.tcp.sack.enable sysctl can be used to
disable the use of SACK:

# sysctl net.inet.tcp.sack.enable=0

No workaround is available for FreeBSD 5.3.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE or to the RELENG_5_4 or
RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patch have been verified to apply to FreeBSD 5.3 and
5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...:08/sack.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...sack.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/netinet/tcp_sack.c 1.3.2.10
RELENG_5_4
src/UPDATING 1.342.2.24.2.20
src/sys/conf/newvers.sh 1.62.2.18.2.16
src/sys/netinet/tcp_sack.c 1.3.2.5.2.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.29
src/sys/conf/newvers.sh 1.62.2.15.2.31
src/sys/netinet/tcp_sack.c 1.3.4.1

Belansky 03-03-2006 10:01 413221

Очередные обновления по безопасности:
FreeBSD-SA-06:09.openssh
FreeBSD-SA-06:10.nfs

Belansky 23-03-2006 11:29 420824

Очередные обновления по безопасности:
FreeBSD-SA-06:11.ipsec
FreeBSD-SA-06:12.opie
FreeBSD-SA-06:13.sendmail

Belansky 24-04-2006 11:46 431140

Очередное обновление по безопасности:
FreeBSD-SA-06:14.fpu

Belansky 01-06-2006 08:18 444937

Очередные обновления по безопасности:
FreeBSD-SA-06:15.ypserv
FreeBSD-SA-06:16.smbfs

Belansky 15-06-2006 09:04 450821

Очередное обновление по безопасности:
FreeBSD-SA-06:17.sendmail

Barracuda 21-09-2006 04:02 487458

Очередное обновление по безопасности:
FreeBSD-SA-06:21.gzip

Barracuda 01-10-2006 02:58 491785

Очередное обновление по безопасности (FreeBSD-SA-06:23.openssl).
Описание и методы устранения уязвимости читать тут
В догонку - FreeBSD-SA-06:22

Barracuda 12-11-2006 09:02 510403

Очередная уязвимость - FreeBSD-SA-06:24.libarchive.
Описание и методы устранения уязвимости читать тут
В догонку - FreeBSD-SA-06:22

Belansky 08-12-2006 11:09 522329

Очередные обновления по безопасности.
FreeBSD-SA-06:25.kmem
FreeBSD-SA-06:26.gtar

Belansky 16-01-2007 22:42 537048

Очередное обновление по безопасности.
FreeBSD-SA-07:01.jail

Belansky 29-04-2007 21:23 581240

Новое обновление по безопасности:
Код:

FreeBSD-SA-07:03.ipv6                                      Security Advisory
                                                          The FreeBSD Project

Topic:          IPv6 Routing Header 0 is dangerous

Category:      core
Module:        ipv6
Announced:      2007-04-26
Credits:        Philippe Biondi, Arnaud Ebalard, Jun-ichiro itojun Hagino
Affects:        All FreeBSD releases.
Corrected:      2007-04-24 11:42:42 UTC (RELENG_6, 6.2-STABLE)
                2007-04-26 23:42:23 UTC (RELENG_6_2, 6.2-RELEASE-p4)
                2007-04-26 23:41:59 UTC (RELENG_6_1, 6.1-RELEASE-p16)
                2007-04-24 11:44:23 UTC (RELENG_5, 5.5-STABLE)
                2007-04-26 23:41:27 UTC (RELENG_5_5, 5.5-RELEASE-p12)
CVE Name:      CVE-2007-2242

I.  Background

IPv6 provides a routing header option which allows a packet sender to
indicate how the packet should be routed, overriding the routing knowledge
present in a network.  This functionality is roughly equivalent to the
"source routing" option in IPv4.  All nodes in an IPv6 network -- both
routers and hosts -- are required by RFC 2460 to process such headers.

II.  Problem Description

There is no mechanism for preventing IPv6 routing headers from being used
to route packets over the same link(s) many times.

III. Impact

An attacker can "amplify" a denial of service attack against a link between
two vulnerable hosts; that is, by sending a small volume of traffic the
attacker can consume a much larger amount of bandwidth between the two
vulnerable hosts.

An attacker can use vulnerable hosts to "concentrate" a denial of service
attack against a victim host or network; that is, a set of packets sent
over a period of 30 seconds or more could be constructed such that they
all arrive at the victim within a period of 1 second or less.

Other attacks may also be possible.

IV.  Workaround

No workaround is available.

V.  Solution

NOTE WELL: The solution described below causes IPv6 type 0 routing headers
to be ignored.  Support for IPv6 type 0 routing headers can be re-enabled
if required by setting the newly added net.inet6.ip6.rthdr0_allowed sysctl
to a non-zero value.

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1,
and 6.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-07:03/ipv6.patch
# fetch http://security.FreeBSD.org/patches/SA-07:03/ipv6.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                          Revision
  Path
- -------------------------------------------------------------------------
RELENG_5
  src/sys/netinet6/in6.h                                        1.35.2.5
  src/sys/netinet6/in6_proto.c                                  1.29.2.5
  src/sys/netinet6/route6.c                                      1.10.4.2
RELENG_5_5
  src/UPDATING                                            1.342.2.35.2.12
  src/sys/conf/newvers.sh                                  1.62.2.21.2.14
  src/sys/netinet6/in6.h                                    1.35.2.3.2.1
  src/sys/netinet6/in6_proto.c                              1.29.2.4.2.1
  src/sys/netinet6/route6.c                                  1.10.4.1.4.1
RELENG_6
  src/sys/netinet6/in6.h                                        1.36.2.8
  src/sys/netinet6/in6_proto.c                                  1.32.2.6
  src/sys/netinet6/route6.c                                      1.11.2.2
RELENG_6_2
  src/UPDATING                                            1.416.2.29.2.7
  src/sys/conf/newvers.sh                                  1.69.2.13.2.7
  src/sys/netinet6/in6.h                                    1.36.2.7.2.1
  src/sys/netinet6/in6_proto.c                              1.32.2.5.2.1
  src/sys/netinet6/route6.c                                  1.11.2.1.4.1
RELENG_6_1
  src/UPDATING                                            1.416.2.22.2.18
  src/sys/conf/newvers.sh                                  1.69.2.11.2.18
  src/sys/netinet6/in6.h                                    1.36.2.6.2.1
  src/sys/netinet6/in6_proto.c                              1.32.2.4.2.1
  src/sys/netinet6/route6.c                                  1.11.2.1.2.1


Belansky 30-05-2007 10:30 592797

Очередное обновление по безопасности.

brag 16-06-2007 15:44 599997

Никто не подскажет,на сколько опасны(или безопасны) эти переменные:
kern.ipc.shm_use_phys
kern.ipc.shm_allow_removed
,если их установить в 1.я плохо дуплю в них черо( и в сетке инфы тоже мало

Belansky 04-08-2007 16:44 622953

Очередные обновления по безопасности:
http://security.freebsd.org/advisori...06.tcpdump.asc
http://security.freebsd.org/advisori...07:07.bind.asc

Negativ 06-04-2009 11:51 1085521

Народ, куда подевалась ветка 6.2 с ftp.freebsd.org ?

cluber 01-10-2009 15:52 1231999

Добавил в sysctl.conf строку: net.inet.tcp.blackhole=2
отвалился ssh доступ к машине
Нужно и то и другое.
Подскажите, пожалуйста, можно ли это как-то победить?

FreeBSD 7

sasa19952010 02-12-2010 20:17 1556895

Плз, посоветуйте ось и антивирь.

Infection 28-08-2011 11:27 1740849

народ у меня такая проблемма возникла! При запуске фрии мне вместо имени которое я ей назначил стоит значок % и команды не хотят отрабатывать, как мне это исправить


Время: 05:22.

Время: 05:22.
© OSzone.net 2001-