svn commit: r44311 - head/en_US.ISO8859-1/books/handbook/security
Dru Lavigne
dru at FreeBSD.org
Fri Mar 21 17:25:31 UTC 2014
Author: dru
Date: Fri Mar 21 17:25:31 2014
New Revision: 44311
URL: http://svnweb.freebsd.org/changeset/doc/44311
Log:
Update example Security Advisory and its descriptions.
Next commit will add to the introduction of this section.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Mar 21 16:12:49 2014 (r44310)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Mar 21 17:25:31 2014 (r44311)
@@ -3183,66 +3183,178 @@ You are advised to update or deinstall t
<sect2>
<title>What Does an Advisory Look Like?</title>
- <para>&os; security advisories use the format seen in this
- example:</para>
+ <para>Here is an example of a &os; security advisory:</para>
<programlisting>=============================================================================
-FreeBSD-SA-XX:XX.UTIL Security Advisory
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:04.bind Security Advisory
The FreeBSD Project
-Topic: denial of service due to some problem <co xml:id="co-topic"/>
+Topic: BIND remote denial of service vulnerability
-Category: core <co xml:id="co-category"/>
-Module: sys <co xml:id="co-module"/>
-Announced: 2003-09-23 <co xml:id="co-announce"/>
-Credits: Person <co xml:id="co-credit"/>
-Affects: All releases of &os; <co xml:id="co-affects"/>
- &os; 4-STABLE prior to the correction date
-Corrected: 2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
- 2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
- 2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
- 2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
- 2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
- 2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
- 2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
- 2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
- 2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39) <co xml:id="co-corrected"/>
-<acronym>CVE</acronym> Name: CVE-XXXX-XXXX <co xml:id="co-cve"/>
+Category: contrib
+Module: bind
+Announced: 2014-01-14
+Credits: ISC
+Affects: FreeBSD 8.x and FreeBSD 9.x
+Corrected: 2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE)
+ 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+ 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+ 2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE)
+ 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+ 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+CVE Name: CVE-2014-0591
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
-following sections, please visit
-http://www.FreeBSD.org/security/.
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+II. Problem Description
+
+Because of a defect in handling queries for NSEC3-signed zones, BIND can
+crash with an "INSIST" failure in name.c when processing queries possessing
+certain properties. This issue only affects authoritative nameservers with
+at least one NSEC3-signed zone. Recursive-only servers are not at risk.
+
+III. Impact
+
+An attacker who can send a specially crafted query could cause named(8)
+to crash, resulting in a denial of service.
+
+IV. Workaround
+
+No workaround is available, but systems not running authoritative DNS service
+with at least one NSEC3-signed zone using named(8) are not vulnerable.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
-I. Background <co xml:id="co-backround"/>
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE]
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc
+# gpg --verify bind-release.patch.asc
-II. Problem Description <co xml:id="co-descript"/>
+[FreeBSD 9.2-STABLE]
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc
+# gpg --verify bind-stable-9.patch.asc
+b) Execute the following commands as root:
-III. Impact <co xml:id="co-impact"/>
+# cd /usr/src
+# patch < /path/to/patch
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
-IV. Workaround <co xml:id="co-workaround"/>
+Restart the applicable daemons, or reboot the system.
+3) To update your vulnerable system via a binary patch:
-V. Solution <co xml:id="co-solution"/>
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+# freebsd-update fetch
+# freebsd-update install
-VI. Correction details <co xml:id="co-details"/>
+VI. Correction details
+The following list contains the correction revision numbers for each
+affected branch.
-VII. References <co xml:id="co-ref"/></programlisting>
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r260646
+releng/8.3/ r260647
+releng/8.4/ r260647
+stable/9/ r260646
+releng/9.1/ r260647
+releng/9.2/ r260647
+- -------------------------------------------------------------------------
- <calloutlist>
- <callout arearefs="co-topic">
- <para>The <literal>Topic</literal> field specifies the
- problem. It provides an introduction to the security
- advisory and notes the utility affected by the
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://kb.isc.org/article/AA-01078>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG
+ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO
+XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg
+ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG
+9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5
+fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua
+OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb
+zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag
+Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm
+067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq
+7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO
+UWWemqWuz3lAZuORQ9KX
+=OQzQ
+-----END PGP SIGNATURE-----</programlisting>
+
+ <para>Every security advisory uses the following format:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Each security advisory is signed by the
+ <acronym>PGP</acronym> key of the Security Officer. The
+ public key for the Security Officer can be verified at
+ <xref linkend="pgpkeys"/>.</para>
+ </listitem>
+
+ <listitem>
+ <para>The name of the security advisory always begins with
+ <literal>FreeBSD-SA-</literal> (for FreeBSD Security
+ Advisory), followed by the year in two digit format
+ (<literal>14:</literal>), followed by the advisory number
+ for that year (<literal>04.</literal>), followed by the
+ name of the affected application or subsystem
+ (<literal>bind</literal>). The advisory shown here is the
+ fourth advisory for 2014 and it affects
+ <application>BIND</application>.</para>
+ </listitem>
+
+ <listitem>
+ <para>The <literal>Topic</literal> field summarizes the
vulnerability.</para>
- </callout>
+ </listitem>
- <callout arearefs="co-category">
+ <listitem>
<para>The <literal>Category</literal> refers to the
affected part of the system which may be one of
<literal>core</literal>, <literal>contrib</literal>, or
@@ -3250,113 +3362,95 @@ VII. References <co xml:id="co-ref"/></p
category means that the vulnerability affects a core
component of the &os; operating system. The
<literal>contrib</literal> category means that the
- vulnerability affects software contributed to the &os;
- Project, such as <application>Sendmail</application>.
+ vulnerability affects software included with &os;,
+ such as <application>BIND</application>.
The <literal>ports</literal> category indicates that the
- vulnerability affects add on software available through
+ vulnerability affects software available through
the Ports Collection.</para>
- </callout>
+ </listitem>
- <callout arearefs="co-module">
+ <listitem>
<para>The <literal>Module</literal> field refers to the
component location. In this example, the
- <literal>sys</literal> module is affected; therefore, this
- vulnerability affects a component used within the
- kernel.</para>
- </callout>
+ <literal>bind</literal> module is affected; therefore, this
+ vulnerability affects an application installed with the
+ operating system.</para>
+ </listitem>
- <callout arearefs="co-announce">
+ <listitem>
<para>The <literal>Announced</literal> field reflects the
- date the security advisory was published, or announced
- to the world. This means that the security team has
+ date the security advisory was published. This means
+ that the security team has
verified that the problem exists and that a patch has
been committed to the &os; source code repository.</para>
- </callout>
+ </listitem>
- <callout arearefs="co-credit">
+ <listitem>
<para>The <literal>Credits</literal> field gives credit to
the individual or organization who noticed the
vulnerability and reported it.</para>
- </callout>
+ </listitem>
- <callout arearefs="co-affects">
+ <listitem>
<para>The <literal>Affects</literal> field explains which
- releases of &os; are affected by this vulnerability.
- For the kernel, a quick look over the output from
- &man.ident.1; on the affected files will help in
- determining the revision. For ports, the version number
- is listed after the port name in <filename>/var/db/pkg</filename>. If the
- system does not sync with the &os; Subversion repository
- and is not rebuilt daily, chances are that it is
- affected.</para>
- </callout>
+ releases of &os; are affected by this vulnerability.</para>
+ </listitem>
- <callout arearefs="co-corrected">
+ <listitem>
<para>The <literal>Corrected</literal> field indicates the
- date, time, time offset, and release that was
+ date, time, time offset, and releases that were
corrected.</para>
- </callout>
+ </listitem>
- <callout arearefs="co-cve">
- <para>Reserved for the identification information used to
- look up vulnerabilities in the <link xlink:href="http://cve.mitre.org">Common Vulnerabilities
- and Exposures</link> database.</para>
- </callout>
-
- <callout arearefs="co-backround">
- <para>The <literal>Background</literal> field gives
- information about the affected utility. Most of the time
- this is why the utility exists in &os;, what it is used
- for, and a bit of information on how the utility came to
- be.</para>
- </callout>
+ <listitem>
+ <para>The <literal>CVE Name</literal> field lists the
+ advisory number, if one exists, in the public <link
+ xlink:href="http://cve.mitre.org">cve.mitre.org</link>
+ security vulnerabilities database.</para>
+ </listitem>
+
+ <listitem>
+ <para>The <literal>Background</literal> field provides a
+ description of the affected module.</para>
+ </listitem>
- <callout arearefs="co-descript">
+ <listitem>
<para>The <literal>Problem Description</literal> field
- explains the security hole in depth. This can include
- information on flawed code, or even how the utility
- could be maliciously used to open a security hole.</para>
- </callout>
+ explains the vulnerability. This can include
+ information about the flawed code and how the utility
+ could be maliciously used.</para>
+ </listitem>
- <callout arearefs="co-impact">
+ <listitem>
<para>The <literal>Impact</literal> field describes what
- type of impact the problem could have on a system. For
- example, this could be anything from a denial of service
- attack, to extra privileges available to users, or even
- giving the attacker superuser access.</para>
- </callout>
-
- <callout arearefs="co-workaround">
- <para>The <literal>Workaround</literal> field offers a
- workaround to system administrators who cannot
- upgrade the system due to time constraints, network
- availability, or other reasons. Security should not be
- taken lightly, and an affected system should either be
- patched or the workaround implemented.</para>
- </callout>
+ type of impact the problem could have on a system.</para>
+ </listitem>
+
+ <listitem>
+ <para>The <literal>Workaround</literal> field indicates if
+ a workaround is available to system administrators who cannot
+ immediately patch the system .</para>
+ </listitem>
- <callout arearefs="co-solution">
- <para>The <literal>Solution</literal> field offers
+ <listitem>
+ <para>The <literal>Solution</literal> field provides the
instructions for patching the affected system. This is a
step by step tested and verified method for getting a
system patched and working securely.</para>
- </callout>
+ </listitem>
- <callout arearefs="co-details">
+ <listitem>
<para>The <literal>Correction Details</literal> field
- displays the Subversion branch or release name with the
- periods changed to underscore characters. It also shows
- the revision number of the affected files within each
- branch.</para>
- </callout>
-
- <callout arearefs="co-ref">
- <para>The <literal>References</literal> field usually
- offers sources of other information. This can include
- web <acronym>URL</acronym>s, books, mailing lists, and
- newsgroups.</para>
- </callout>
- </calloutlist>
+ displays each affected Subversion branch with
+ the revision number that contains the corrected code.</para>
+ </listitem>
+
+ <listitem>
+ <para>The <literal>References</literal> field
+ offers sources of additional information regarding the
+ vulnerability.</para>
+ </listitem>
+ </itemizedlist>
</sect2>
</sect1>
More information about the svn-doc-head
mailing list