[Belansky]

Очередное обновление по безопасности.

Цитата:

FreeBSD-SA-05:21.openssl Security Advisory The FreeBSD Project Topic: Potential SSL 2.0 rollback Category: contrib Module: openssl Announced: 2005-10-11 Credits: Yutaka Oiwa Affects: All FreeBSD releases. Corrected: 2005-10-11 11:52:46 UTC (RELENG_6, 6.0-STABLE) 2005-10-11 11:53:03 UTC (RELENG_6_0, 6.0-RELEASE) 2005-10-11 11:52:01 UTC (RELENG_5, 5.4-STABLE) 2005-10-11 11:52:28 UTC (RELENG_5_4, 5.4-RELEASE-p8) 2005-10-11 11:52:13 UTC (RELENG_5_3, 5.3-RELEASE-p23) 2005-10-11 11:50:50 UTC (RELENG_4, 4.11-STABLE) 2005-10-11 11:51:45 UTC (RELENG_4_11, 4.11-RELEASE-p13) 2005-10-11 11:51:20 UTC (RELENG_4_10, 4.10-RELEASE-p19) CVE Name: CAN-2005-2969 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background The OpenSSL library implements the Secure Sockets Layer and Transport Layer Security protocols, as well as providing a large number of basic cryptographic functions. The Secure Sockets Layer protocol exists in two versions and includes a mechanism for negotiating the protocol version to be used. If the protocol is executed correctly, it is impossible for a client and server both capable of the newer version of the protocol (SSLv3) to end up using the older version of the protocol (SSLv2). II. Problem Description In order to provide bug-for-bug compatibility with Microsoft Internet Explorer 3.02, a verification step required by the Secure Sockets Layer protocol can be disabled by using the SSL_OP_MSIE_SSLV2_RSA_PADDING option in OpenSSL. This option is implied by the frequently-used SSL_OP_ALL option. III. Impact If the SSL_OP_MSIE_SSLV2_RSA_PADDING option is enabled in a server application using OpenSSL, an attacker who is able to intercept and tamper with packets transmitted between a client and the server can cause the protocol version negotiation to result in SSLv2 being used even when both the client and the server support SSLv3. Due to a number of weaknesses in the SSLv2 protocol, this may allow the attacker to read or tamper with the encrypted data being sent. Applications which do not support SSLv2, have been configured to not permit the use of SSLv2, or do not use the SSL_OP_MSIE_SSLV2_RSA_PADDING or SSL_OP_ALL options are not affected. IV. Workaround No workaround is available. V. Solution NOTE WELL: The solution described below causes OpenSSL to ignore the SSL_OP_MSIE_SSLV2_RSA_PADDING option and hence to require conformance with the Secure Sockets Layer protocol. As a result, this solution will reintroduce incompatibility with Microsoft Internet Explorer 3.02 and any other applications which exhibit the same protocol violation. Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE.../openssl.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...nssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in <URL: http://www.freebsd.org/doc/en_US.ISO...makeworld.html >. Note that any statically linked applications that are not part of the base system (i.e. from the Ports Collection or other 3rd-party sources) must be recompiled. All affected applications must be restarted for them to use the corrected library. Though not required, rebooting may be the easiest way to accomplish this. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/crypto/openssl/crypto/opensslv.h 1.1.1.1.2.11 src/crypto/openssl/ssl/s23_srvr.c 1.2.2.6 RELENG_4_11 src/UPDATING 1.73.2.91.2.14 src/sys/conf/newvers.sh 1.44.2.39.2.17 src/crypto/openssl/crypto/opensslv.h 1.1.1.1.2.10.4.1 src/crypto/openssl/ssl/s23_srvr.c 1.2.2.5.8.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.20 src/sys/conf/newvers.sh 1.44.2.34.2.21 src/crypto/openssl/crypto/opensslv.h 1.1.1.1.2.10.2.1 src/crypto/openssl/ssl/s23_srvr.c 1.2.2.5.6.1 RELENG_5 src/crypto/openssl/crypto/opensslv.h 1.1.1.1.15.2.2 src/crypto/openssl/ssl/s23_srvr.c 1.7.6.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.17 src/sys/conf/newvers.sh 1.62.2.18.2.13 src/crypto/openssl/crypto/opensslv.h 1.1.1.15.2.1.2.1 src/crypto/openssl/ssl/s23_srvr.c 1.7.10.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.26 src/sys/conf/newvers.sh 1.62.2.15.2.28 src/crypto/openssl/crypto/opensslv.h 1.1.1.15.4.1 src/crypto/openssl/ssl/s23_srvr.c 1.7.8.1 RELENG_6 src/crypto/openssl/ssl/s23_srvr.c 1.7.12.1 src/crypto/openssl/crypto/opensslv.h 1.1.1.16.2.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.1 src/crypto/openssl/crypto/opensslv.h 1.1.1.16.4.1 src/crypto/openssl/ssl/s23_srvr.c 1.7.14.1

Правильным ли будет утверждение, что в настоящий момент времени, исходный код системы, полученый по RELENG_4_11, будет аналогичныи полученому по RELENG_4 + последние заплатки по безопасности?

[Belansky]

VGrey
Нет.
С тегом RELENG_4_11 вы получаете исходники релиза 4.11 и обновления системы по безопасности, например, 4.11-RELEASE-p13. С тегом RELENG_4 вы получаете исходники системы 4.11-STABLE, включая нетолько последние заплатки по безопасности, но и другие обновления.

[MS-aztoy]

То есть я так понимаю что если запускается
cvsup /usr/share/examples/cvsup/standard-supfile
в котором указано обновлять src-all до tag=RELENG_5_4 , я получу текущие апдейты для FreeBSD 5,4 (включая обновления безопасности (так называемые Security Updates), исправления утилит, расширение каких-то свойств, исправления в работе с некотрыми девайсами)

[Belansky]

MS-aztoy
Правильно понимаете.

[Demiurg]

...сделал подобные настройки:
/etc/sysctl.conf
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

/etc/rc.conf
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
icmp_bmcastecho="YES"

...X'ы стали очень долго стратовать, KDE - минуть 7-10... в какой из строчек я 'гайки безопасности перетянул'?

[Belansky]

Demiurg

Цитата:

в какой из строчек я 'гайки безопасности перетянул'?

А кто его знает?
Здается мне, что это не столько KDE виновато, сколько сами иксы, которые работают по схеме клиент-сервер и общение между компонентами иксов проходит по протоколу tpc/ip.
Попробуйте сами найти виноватую строку методом научного тыка, т.е. предваряя указанные Вами строки знаком комментария и рестартуя иксы.

[mar]

Внимание!

Цитата:

В пакетном фильтре ipfw, входящем в состав FreeBSD 6.0, обнаружена неприятная уязвимость. Удаленный злоумышленник может вызвать отказ в обслуживании отправив специально сформированный пакет, подпадающий под "reset", "reject" или "unreach" правило фаервола. Проблем можно избежать заменив все "reset", "reject" и "unreach" действия на "deny". Также опубликованы еще три сообщения о незначительных проблемах безопасности во входящих в базовую поставку FreeBSD 6.0 приложений: 1. Multiple vulnerabilities cpio; 2. ee temporary file privilege escalation; 3. Texindex temporary file privilege escalation.

(цитата из рассылки opennet)
Подробности:
ftp://ftp.freebsd.org/pub/FreeBSD/CE...%3A04.ipfw.asc

[Belansky]

Очередное обновление по безопасности.

Цитата:

FreeBSD-SA-06:05.80211 Security Advisory The FreeBSD Project Topic: IEEE 802.11 buffer overflow Category: core Module: net80211 Announced: 2006-01-18 Credits: Karl Janmar Affects: FreeBSD 6.0 Corrected: 2006-01-18 09:03:15 UTC (RELENG_6, 6.0-STABLE) 2006-01-18 09:03:36 UTC (RELENG_6_0, 6.0-RELEASE-p3) CVE Name: CVE-2006-0226 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background The IEEE 802.11 network subsystem of FreeBSD implements the protocol negotiation used for wireless networking. II. Problem Description An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer. III. Impact An attacker able broadcast a carefully crafted beacon or probe response frame may be able to execute arbitrary code within the context of the FreeBSD kernel on any system scanning for wireless networks. IV. Workaround No workaround is available, but systems without IEEE 802.11 hardware or drivers loaded are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE or to the RELENG_6_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...05/80211.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...0211.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/net80211/ieee80211_ioctl.c 1.25.2.9 RELENG_6_0 src/UPDATING 1.416.2.3.2.8 src/sys/conf/newvers.sh 1.69.2.8.2.4 src/sys/net80211/ieee80211_ioctl.c 1.25.2.3.2.1

[Belansky]

Очередные обновления по безопасности.

Цитата:

FreeBSD-SA-06:06.kmem Security Advisory The FreeBSD Project Topic: Local kernel memory disclosure Category: core Module: kernel Announced: 2006-01-25 Credits: Xin LI, Karl Janmar Affects: FreeBSD 5.4-STABLE and FreeBSD 6.0 Corrected: 2006-01-25 10:00:59 UTC (RELENG_6, 6.0-STABLE) 2006-01-25 10:01:26 UTC (RELENG_6_0, 6.0-RELEASE-p4) 2006-01-25 10:01:47 UTC (RELENG_5, 5.4-STABLE) CVE Name: CVE-2006-0379, CVE-2006-0380 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background The network sub-system commonly utilizes the ioctl(2) mechanism to pass information regarding the current state and statistics of logical and physical network devices. II. Problem Description A buffer allocated from the kernel stack may not be completely initialized before being copied to userland. [CVE-2006-0379] A logic error in computing a buffer length may allow too much data to be copied into userland. [CVE-2006-0380] III. Impact Portions of kernel memory may be disclosed to local users. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the RELENG_6_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.4 and 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 5.4-STABLE and 6.0-STABLE] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...:06/kmem.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...kmem.patch.asc [FreeBSD 6.0-RELEASE] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...6/kmem60.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...em60.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/sys/net/if_bridge.c 1.23.2.7 RELENG_6 src/sys/net/if_bridge.c 1.11.2.24 RELENG_6_0 src/UPDATING 1.416.2.3.2.9 src/sys/conf/newvers.sh 1.69.2.8.2.5 src/sys/net/if_bridge.c 1.11.2.12.2.4 src/sys/net80211/ieee80211_ioctl.c 1.25.2.3.2.2

Цитата:

FreeBSD-SA-06:07.pf Security Advisory The FreeBSD Project Topic: IP fragment handling panic in pf(4) Category: contrib Module: sys_contrib Announced: 2006-01-25 Credits: Jakob Schlyter, Daniel Hartmeier Affects: FreeBSD 5.3, FreeBSD 5.4, and FreeBSD 6.0 Corrected: 2006-01-25 10:00:59 UTC (RELENG_6, 6.0-STABLE) 2006-01-25 10:01:26 UTC (RELENG_6_0, 6.0-RELEASE-p4) 2006-01-25 10:01:47 UTC (RELENG_5, 5.4-STABLE) 2006-01-25 10:02:07 UTC (RELENG_5_4, 5.4-RELEASE-p10) 2006-01-25 10:02:27 UTC (RELENG_5_3, 5.3-RELEASE-p25) CVE Name: CVE-2006-0381 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background pf is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description A logic bug in pf's IP fragment cache may result in a packet fragment being inserted twice, violating a kernel invariant. III. Impact By sending carefully crafted sequence of IP packet fragments, a remote attacker can cause a system running pf with a ruleset containing a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash. IV. Workaround Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules on systems running pf. In most cases, such rules can be replaced by 'scrub fragment reassemble' rules; see the pf.conf(5) manual page for more details. Systems which do not use pf, or use pf but do not use the aforementioned rules, are not affected by this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the RELENG_6_0, RELENG_5_4, or RELENG_5_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.3, 5.4, and 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...06:07/pf.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...7/pf.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/sys/contrib/pf/net/pf_norm.c 1.10.2.2 RELENG_5_4 src/UPDATING 1.342.2.24.2.19 src/sys/conf/newvers.sh 1.62.2.18.2.15 src/sys/contrib/pf/net/pf_norm.c 1.10.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.28 src/sys/conf/newvers.sh 1.62.2.15.2.30 src/sys/contrib/pf/net/pf_norm.c 1.10.4.1 RELENG_6 src/sys/contrib/pf/net/pf_norm.c 1.11.2.3 RELENG_6_0 src/UPDATING 1.416.2.3.2.9 src/sys/conf/newvers.sh 1.69.2.8.2.5 src/sys/contrib/pf/net/pf_norm.c 1.11.2.1.2.1