svn commit: r420106 - head/security/vuxml
Mark Felder
feld at FreeBSD.org
Thu Aug 11 21:19:11 UTC 2016
Author: feld
Date: Thu Aug 11 21:19:09 2016
New Revision: 420106
URL: https://svnweb.freebsd.org/changeset/ports/420106
Log:
Add missing FreeBSD SA entries from 2014 to vuxml
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Aug 11 21:06:42 2016 (r420105)
+++ head/security/vuxml/vuln.xml Thu Aug 11 21:19:09 2016 (r420106)
@@ -58,6 +58,675 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="74ded00e-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- Buffer overflow in stdio</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>10.1</ge><lt>10.1_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>A programming error in the standard I/O library's
+ __sflush() function could erroneously adjust the buffered
+ stream's internal state even when no write actually occurred
+ in the case when write(2) system call returns an error.</p>
+ <h1>Impact:</h1>
+ <p>The accounting mismatch would accumulate, if the caller
+ does not check for stream status and will eventually lead
+ to a heap buffer overflow.</p>
+ <p>Such overflows may lead to data corruption or the execution
+ of arbitrary code at the privilege level of the calling
+ program.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-8611</cvename>
+ <freebsdsa>FreeBSD-SA-14:27.stdio</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-12-10</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7488378d-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- Remote command execution in ftp(1)</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>10.0</ge><lt>10.0_12</lt></range>
+ <range><ge>9.3</ge><lt>9.3_5</lt></range>
+ <range><ge>9.2</ge><lt>9.2_15</lt></range>
+ <range><ge>9.1</ge><lt>9.1_22</lt></range>
+ <range><ge>8.4</ge><lt>8.4_19</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>A malicious HTTP server could cause ftp(1) to execute
+ arbitrary commands.</p>
+ <h1>Impact:</h1>
+ <p>When operating on HTTP URIs, the ftp(1) client follows
+ HTTP redirects, and uses the part of the path after the
+ last '/' from the last resource it accesses as the output
+ filename if '-o' is not specified.</p>
+ <p>If the output file name provided by the server begins
+ with a pipe ('|'), the output is passed to popen(3), which
+ might be used to execute arbitrary commands on the ftp(1)
+ client machine.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-8517</cvename>
+ <freebsdsa>FreeBSD-SA-14:26.ftp</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-11-04</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="74389f22-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- Kernel stack disclosure in setlogin(2) / getlogin(2)</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>10.0</ge><lt>10.0_12</lt></range>
+ <range><ge>9.3</ge><lt>9.3_5</lt></range>
+ <range><ge>9.2</ge><lt>9.2_15</lt></range>
+ <range><ge>9.1</ge><lt>9.1_22</lt></range>
+ <range><ge>8.4</ge><lt>8.4_19</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>When setlogin(2) is called while setting up a new login
+ session, the login name is copied into an uninitialized
+ stack buffer, which is then copied into a buffer of the
+ same size in the session structure. The getlogin(2) system
+ call returns the entire buffer rather than just the portion
+ occupied by the login name associated with the session.</p>
+ <h1>Impact:</h1>
+ <p>An unprivileged user can access this memory by calling
+ getlogin(2) and reading beyond the terminating NUL character
+ of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD
+ 9 and 10) bytes of kernel memory may be leaked in this
+ manner for each invocation of setlogin(2).</p>
+ <p>This memory may contain sensitive information, such as
+ portions of the file cache or terminal buffers, which an
+ attacker might leverage to obtain elevated privileges.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-8476</cvename>
+ <freebsdsa>FreeBSD-SA-14:25.setlogin</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-11-04</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="73e9a137-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- Denial of service attack against sshd(8)</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>10.0</ge><lt>10.0_12</lt></range>
+ <range><ge>9.2</ge><lt>9.2_15</lt></range>
+ <range><ge>9.1</ge><lt>9.1_22</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Although OpenSSH is not multithreaded, when OpenSSH is
+ compiled with Kerberos support, the Heimdal libraries bring
+ in the POSIX thread library as a dependency. Due to incorrect
+ library ordering while linking sshd(8), symbols in the C
+ library which are shadowed by the POSIX thread library may
+ not be resolved correctly at run time.</p>
+ <p>Note that this problem is specific to the FreeBSD build
+ system and does not affect other operating systems or the
+ version of OpenSSH available from the FreeBSD ports tree.</p>
+ <h1>Impact:</h1>
+ <p>An incorrectly linked sshd(8) child process may deadlock
+ while handling an incoming connection. The connection may
+ then time out or be interrupted by the client, leaving the
+ deadlocked sshd(8) child process behind. Eventually, the
+ sshd(8) parent process stops accepting new connections.</p>
+ <p>An attacker may take advantage of this by repeatedly
+ connecting and then dropping the connection after having
+ begun, but not completed, the authentication process.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-8475</cvename>
+ <freebsdsa>FreeBSD-SA-14:24.sshd</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-11-04</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="73964eac-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- memory leak in sandboxed namei lookup</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>10.0</ge><lt>10.0_10</lt></range>
+ <range><ge>9.3</ge><lt>9.3_3</lt></range>
+ <range><ge>9.2</ge><lt>9.2_13</lt></range>
+ <range><ge>9.1</ge><lt>9.1_20</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>The namei facility will leak a small amount of kernel
+ memory every time a sandboxed process looks up a nonexistent
+ path name.</p>
+ <h1>Impact:</h1>
+ <p>A remote attacker that can cause a sandboxed process
+ (for instance, a web server) to look up a large number of
+ nonexistent path names can cause memory exhaustion.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-3711</cvename>
+ <freebsdsa>FreeBSD-SA-14:22.namei</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-10-21</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="734233f4-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- routed(8) remote denial of service vulnerability</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>10.0</ge><lt>10.0_10</lt></range>
+ <range><ge>9.3</ge><lt>9.3_3</lt></range>
+ <range><ge>9.2</ge><lt>9.2_13</lt></range>
+ <range><ge>9.1</ge><lt>9.1_20</lt></range>
+ <range><ge>8.4</ge><lt>8.4_17</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>The input path in routed(8) will accept queries from any
+ source and attempt to answer them. However, the output path
+ assumes that the destination address for the response is
+ on a directly connected network.</p>
+ <h1>Impact:</h1>
+ <p>Upon receipt of a query from a source which is not on a
+ directly connected network, routed(8) will trigger an
+ assertion and terminate. The affected system's routing table
+ will no longer be updated. If the affected system is a
+ router, its routes will eventually expire from other routers'
+ routing tables, and its networks will no longer be reachable
+ unless they are also connected to another router.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-3955</cvename>
+ <freebsdsa>FreeBSD-SA-14:21.routed</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-10-21</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="72ee7111-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- rtsold(8) remote buffer overflow vulnerability</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>10.0</ge><lt>10.0_10</lt></range>
+ <range><ge>9.3</ge><lt>9.3_3</lt></range>
+ <range><ge>9.2</ge><lt>9.2_13</lt></range>
+ <range><ge>9.1</ge><lt>9.1_20</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Due to a missing length check in the code that handles
+ DNS parameters, a malformed router advertisement message
+ can result in a stack buffer overflow in rtsold(8).</p>
+ <h1>Impact:</h1>
+ <p>Receipt of a router advertisement message with a malformed
+ DNSSL option, for instance from a compromised host on the
+ same network, can cause rtsold(8) to crash.</p>
+ <p>While it is theoretically possible to inject code into
+ rtsold(8) through malformed router advertisement messages,
+ it is normally compiled with stack protection enabled,
+ rendering such an attack extremely difficult.</p>
+ <p>When rtsold(8) crashes, the existing DNS configuration
+ will remain in force, and the kernel will continue to receive
+ and process periodic router advertisements.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-3954</cvename>
+ <freebsdsa>FreeBSD-SA-14:20.rtsold</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-10-21</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="729c4a9f-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- Denial of Service in TCP packet processing</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>10.0</ge><lt>10.0_9</lt></range>
+ <range><ge>9.3</ge><lt>9.3_2</lt></range>
+ <range><ge>9.2</ge><lt>9.2_12</lt></range>
+ <range><ge>9.1</ge><lt>9.1_19</lt></range>
+ <range><ge>8.4</ge><lt>8.4_16</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>When a segment with the SYN flag for an already existing
+ connection arrives, the TCP stack tears down the connection,
+ bypassing a check that the sequence number in the segment
+ is in the expected window.</p>
+ <h1>Impact:</h1>
+ <p>An attacker who has the ability to spoof IP traffic can
+ tear down a TCP connection by sending only 2 packets, if
+ they know both TCP port numbers. In case one of the two
+ port numbers is unknown, a successful attack requires less
+ than 2**17 packets spoofed, which can be generated within
+ less than a second on a decent connection to the Internet.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2004-0230</cvename>
+ <freebsdsa>FreeBSD-SA-14:19.tcp</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-09-16</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7240de58-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- Kernel memory disclosure in control messages and SCTP</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>10.0</ge><lt>10.0_7</lt></range>
+ <range><ge>9.2</ge><lt>9.2_10</lt></range>
+ <range><ge>9.1</ge><lt>9.1_17</lt></range>
+ <range><ge>8.4</ge><lt>8.4_14</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Buffer between control message header and data may not
+ be completely initialized before being copied to userland.
+ [CVE-2014-3952]</p>
+ <p>Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO,
+ have implicit padding that may not be completely initialized
+ before being copied to userland. In addition, three SCTP
+ notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and
+ SCTP_AUTHENTICATION_EVENT, have padding in the returning
+ data structure that may not be completely initialized before
+ being copied to userland. [CVE-2014-3953]</p>
+ <h1>Impact:</h1>
+ <p>An unprivileged local process may be able to retrieve
+ portion of kernel memory.</p>
+ <p>For the generic control message, the process may be able
+ to retrieve a maximum of 4 bytes of kernel memory.</p>
+ <p>For SCTP, the process may be able to retrieve 2 bytes
+ of kernel memory for all three control messages, plus 92
+ bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the
+ local process is permitted to receive SCTP notification, a
+ maximum of 112 bytes of kernel memory may be returned to
+ userland.</p>
+ <p>This information might be directly useful, or it might
+ be leveraged to obtain elevated privileges in some way. For
+ example, a terminal buffer might include a user-entered
+ password.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-3952</cvename>
+ <cvename>CVE-2014-3953</cvename>
+ <freebsdsa>FreeBSD-SA-14:17.kmem</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-07-08</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="70140f20-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- Multiple vulnerabilities in file(1) and libmagic(3)</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>10.0</ge><lt>10.0_6</lt></range>
+ <range><ge>9.2</ge><lt>9.2_9</lt></range>
+ <range><ge>9.1</ge><lt>9.1_16</lt></range>
+ <range><ge>8.4</ge><lt>8.4_13</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>A specifically crafted Composite Document File (CDF)
+ file can trigger an out-of-bounds read or an invalid pointer
+ dereference. [CVE-2012-1571]</p>
+ <p>A flaw in regular expression in the awk script detector
+ makes use of multiple wildcards with unlimited repetitions.
+ [CVE-2013-7345]</p>
+ <p>A malicious input file could trigger infinite recursion
+ in libmagic(3). [CVE-2014-1943]</p>
+ <p>A specifically crafted Portable Executable (PE) can
+ trigger out-of-bounds read. [CVE-2014-2270]</p>
+ <h1>Impact:</h1>
+ <p>An attacker who can cause file(1) or any other applications
+ using the libmagic(3) library to be run on a maliciously
+ constructed input can the application to crash or consume
+ excessive CPU resources, resulting in a denial-of-service.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2012-1571</cvename>
+ <cvename>CVE-2013-7345</cvename>
+ <cvename>CVE-2014-1943</cvename>
+ <cvename>CVE-2014-2270</cvename>
+ <freebsdsa>FreeBSD-SA-14:16.file</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-06-24</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6f91a709-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- iconv(3) NULL pointer dereference and out-of-bounds array access</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>10.0</ge><lt>10.0_6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>A NULL pointer dereference in the initialization code
+ of the HZ module and an out of bounds array access in the
+ initialization code of the VIQR module make iconv_open(3)
+ calls involving HZ or VIQR result in an application crash.</p>
+ <h1>Impact:</h1>
+ <p>Services where an attacker can control the arguments of
+ an iconv_open(3) call can be caused to crash resulting in
+ a denial-of-service. For example, an email encoded in HZ
+ may cause an email delivery service to crash if it converts
+ emails to a more generic encoding like UTF-8 before applying
+ filtering rules.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-3951</cvename>
+ <freebsdsa>FreeBSD-SA-14:15.iconv</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-06-24</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6e8f9003-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- Incorrect error handling in PAM policy parser</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>9.2</ge><lt>9.2_7</lt></range>
+ <range><ge>10.0</ge><lt>10.0_4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>The OpenPAM library searches for policy definitions in
+ several locations. While doing so, the absence of a policy
+ file is a soft failure (handled by searching in the next
+ location) while the presence of an invalid file is a hard
+ failure (handled by returning an error to the caller).</p>
+ <p>The policy parser returns the same error code (ENOENT)
+ when a syntactically valid policy references a non-existent
+ module as when the requested policy file does not exist.
+ The search loop regards this as a soft failure and looks
+ for the next similarly-named policy, without discarding the
+ partially-loaded configuration.</p>
+ <p>A similar issue can arise if a policy contains an include
+ directive that refers to a non-existent policy.</p>
+ <h1>Impact:</h1>
+ <p>If a module is removed, or the name of a module is
+ misspelled in the policy file, the PAM library will proceed
+ with a partially loaded configuration. Depending on the
+ exact circumstances, this may result in a fail-open scenario
+ where users are allowed to log in without a password, or
+ with an incorrect password.</p>
+ <p>In particular, if a policy references a module installed
+ by a package or port, and that package or port is being
+ reinstalled or upgraded, there is a brief window of time
+ during which the module is absent and policies that use it
+ may fail open. This can be especially damaging to Internet-facing
+ SSH servers, which are regularly subjected to brute-force
+ scans.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-3879</cvename>
+ <freebsdsa>FreeBSD-SA-14:13.pam</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-06-03</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6e04048b-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- ktrace kernel memory disclosure</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>9.2</ge><lt>9.2_7</lt></range>
+ <range><ge>9.1</ge><lt>9.1_14</lt></range>
+ <range><ge>8.4</ge><lt>8.4_11</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Due to an overlooked merge to -STABLE branches, the size
+ for page fault kernel trace entries was set incorrectly.</p>
+ <h1>Impact:</h1>
+ <p>A user who can enable kernel process tracing could end
+ up reading the contents of kernel memory.</p>
+ <p>Such memory might contain sensitive information, such
+ as portions of the file cache or terminal buffers. This
+ information might be directly useful, or it might be leveraged
+ to obtain elevated privileges in some way; for example, a
+ terminal buffer might include a user-entered password.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-3873</cvename>
+ <freebsdsa>FreeBSD-SA-14:12.ktrace</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-06-03</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6d9eadaf-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- sendmail improper close-on-exec flag handling</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>10.0</ge><lt>10.0_4</lt></range>
+ <range><ge>9.2</ge><lt>9.2_7</lt></range>
+ <range><ge>9.1</ge><lt>9.1_14</lt></range>
+ <range><ge>8.4</ge><lt>8.4_11</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>There is a programming error in sendmail(8) that prevented
+ open file descriptors have close-on-exec properly set.
+ Consequently a subprocess will be able to access all open
+ files that the parent process have open.</p>
+ <h1>Impact:</h1>
+ <p>A local user who can execute their own program for mail
+ delivery will be able to interfere with an open SMTP
+ connection.</p>
+ </body>
+ </description>
+ <references>
+ <freebsdsa>FreeBSD-SA-14:11.sendmail</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-06-03</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6d472244-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- TCP reassembly vulnerability</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>8.4</ge><lt>8.4_9</lt></range>
+ <range><ge>8.3</ge><lt>8.3_16</lt></range>
+ <range><ge>9.2</ge><lt>9.2_5</lt></range>
+ <range><ge>9.1</ge><lt>9.1_12</lt></range>
+ <range><ge>10.0</ge><lt>10.0_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>FreeBSD may add a reassemble queue entry on the stack
+ into the segment list when the reassembly queue reaches its
+ limit. The memory from the stack is undefined after the
+ function returns. Subsequent iterations of the reassembly
+ function will attempt to access this entry.</p>
+ <h1>Impact:</h1>
+ <p>An attacker who can send a series of specifically crafted
+ packets with a connection could cause a denial of service
+ situation by causing the kernel to crash.</p>
+ <p>Additionally, because the undefined on stack memory may
+ be overwritten by other kernel threads, while extremely
+ difficult, it may be possible for an attacker to construct
+ a carefully crafted attack to obtain portion of kernel
+ memory via a connected socket. This may result in the
+ disclosure of sensitive information such as login credentials,
+ etc. before or even without crashing the system.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-3000</cvename>
+ <freebsdsa>FreeBSD-SA-14:08.tcp</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-04-30</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6b6ca5b6-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- devfs rules not applied by default for jails</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>10.0</ge><lt>10.0_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>The default devfs rulesets are not loaded on boot, even
+ when jails are used. Device nodes will be created in the
+ jail with their normal default access permissions, while
+ most of them should be hidden and inaccessible.</p>
+ <h1>Impact:</h1>
+ <p>Jailed processes can get access to restricted resources
+ on the host system. For jailed processes running with
+ superuser privileges this implies access to all devices on
+ the system. This level of access could lead to information
+ leakage and privilege escalation.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-3001</cvename>
+ <freebsdsa>FreeBSD-SA-14:07.devfs</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-04-30</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6a384960-6007-11e6-a6c3-14dae9d210b8">
+ <topic>FreeBSD -- Deadlock in the NFS server</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>10.0</ge><lt>10.0_1</lt></range>
+ <range><ge>9.2</ge><lt>9.2_4</lt></range>
+ <range><ge>9.1</ge><lt>9.1_11</lt></range>
+ <range><ge>8.4</ge><lt>8.4_8</lt></range>
+ <range><ge>8.3</ge><lt>8.3_15</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>The kernel holds a lock over the source directory vnode
+ while trying to convert the target directory file handle
+ to a vnode, which needs to be returned with the lock held,
+ too. This order may be in violation of normal lock order,
+ which in conjunction with other threads that grab locks in
+ the right order, constitutes a deadlock condition because
+ no thread can proceed.</p>
+ <h1>Impact:</h1>
+ <p>An attacker on a trusted client could cause the NFS
+ server become deadlocked, resulting in a denial of service.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-1453</cvename>
+ <freebsdsa>FreeBSD-SA-14:05.nfsserver</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2014-04-08</discovery>
+ <entry>2016-08-11</entry>
+ </dates>
+ </vuln>
+
<vuln vid="4c96ecf2-5fd9-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- bsnmpd remote denial of service vulnerability</topic>
<affects>
More information about the svn-ports-all
mailing list