HEADS UP: upcoming security advisories
Jacques A. Vidrine
nectar at FreeBSD.org
Thu Oct 2 10:08:48 PDT 2003
Hello Folks,
Just a status on upcoming advisories.
FreeBSD-SA-03:15.openssh
This is in final review and should be released today. Fixes
for this issue entered the tree on September 24. I apologize
for the delay in getting this one out.
FreeBSD-SA-03:16.filedesc
A reference counting bug was discovered that could lead to
kernel memory disclosure or a system panic. Fixes for this issue
were committed to -CURRENT, -STABLE, and the security branches
earlier today. This bug was reported to us by Joost Pol of
Pine Digital Security, and their advisory just went onto the web:
<URL: http://www.pine.nl/press/pine-cert-20030901.txt >
FreeBSD-SA-03:17.procfs
Several similar bugs involving integer arithmetic underflows
or overflows were identified, again by Joost Pol. These bugs
could also lead to kernel memory disclosure or system panic.
Fixes for this issue are in -CURRENT and -STABLE. The security
branches will be addressed during the rest of the day.
<URL: http://www.pine.nl/press/pine-cert-20030902.txt >
FreeBSD-SA-03:18.openssl
The issue reported at
<URL: http://www.openssl.org/news/secadv_20030930.txt >
affects the version of OpenSSL included with previous versions
of FreeBSD. The impact is limited to denial-of-service. Because
of the relative severity of the above issues, this openssl issue
will likely not be completely dealt with until tomorrow or even
Saturday. The official fixed version, OpenSSL 0.9.7c, was
imported into -CURRENT yesterday, and will be MFC'd to -STABLE
today, but it will be a bit longer to backport fixes for the
security branches.
Cheers,
--
Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se
More information about the freebsd-security
mailing list