Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05
Date: Wed, 06 Dec 2023 17:37:01 UTC
On Tue, Dec 5, 2023, at 6:04 PM, Philip Paeps wrote: > The branch main has been updated by philip: > > URL: > https://cgit.FreeBSD.org/ports/commit/?id=a580d36be4c7a18862a6a110e8bc2ba14e695125 > > commit a580d36be4c7a18862a6a110e8bc2ba14e695125 > Author: Philip Paeps <philip@FreeBSD.org> > AuthorDate: 2023-12-05 23:01:20 +0000 > Commit: Philip Paeps <philip@FreeBSD.org> > CommitDate: 2023-12-05 23:01:20 +0000 > > security/vuxml: add FreeBSD SA released on 2023-12-05 > > FreeBSD-SA-23:17.pf affects all supported releases (12.4, 13.2, 14.0). > --- > security/vuxml/vuln/2023.xml | 41 +++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 41 insertions(+) > > diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml > index c484528898f7..6516a6a58f8a 100644 > --- a/security/vuxml/vuln/2023.xml > +++ b/security/vuxml/vuln/2023.xml > @@ -1,3 +1,44 @@ > + <vuln vid="9cbbc506-93c1-11ee-8e38-002590c1f29c"> > + <topic>FreeBSD -- TCP spoofing vulnerability in pf(4)</topic> > + <affects> > + <package> > + <name>FreeBSD-kernel</name> > + <range><ge>14.0</ge><lt>14.0_2</lt></range> > + <range><ge>13.2</ge><lt>13.2_7</lt></range> Houston, we have a problem. [17:31 r730-03 dvl ~] % freebsd-version -ukr 13.2-RELEASE-p4 13.2-RELEASE-p4 13.2-RELEASE-p7 [17:35 r730-03 dvl ~] % /usr/local/etc/periodic/security/405.pkg-base-audit Checking for security vulnerabilities in base (userland & kernel): Host system: Database fetched: 2023-12-06T07:45+00:00 FreeBSD-kernel-13.2_4 is vulnerable: FreeBSD -- TCP spoofing vulnerability in pf(4) CVE: CVE-2023-6534 WWW: https://vuxml.FreeBSD.org/freebsd/9cbbc506-93c1-11ee-8e38-002590c1f29c.html 1 problem(s) in 1 installed package(s) found. 0 problem(s) in 0 installed package(s) found. ... I hope to avoid a situation where false positives continue until the user land and kernel are on the patch levels. > + <range><ge>12.4</ge><lt>12.4_9</lt></range> > + </package> > + </affects> > + <description> > + <body xmlns="http://www.w3.org/1999/xhtml"> > + <h1>Problem Description:</h1> > + <p>As part of its stateful TCP connection tracking implementation, > + pf performs sequence number validation on inbound packets. This > + makes it difficult for a would-be attacker to spoof the sender and > + inject packets into a TCP stream, since crafted packets must contain > + sequence numbers which match the current connection state to avoid > + being rejected by the firewall.</p> > + <p>A bug in the implementation of sequence number validation means > + that the sequence number is not in fact validated, allowing an > + attacker who is able to impersonate the remote host and guess the > + connection's port numbers to inject packets into the TCP stream.</p> > + <h1>Impact:</h1> > + <p>An attacker can, with relatively little effort, inject packets > + into a TCP stream destined to a host behind a pf firewall. This > + could be used to implement a denial-of-service attack for hosts > + behind the firewall, for example by sending TCP RST packets to the > + host.</p> > + </body> > + </description> > + <references> > + <cvename>CVE-2023-6534</cvename> > + <freebsdsa>SA-23:17.pf</freebsdsa> > + </references> > + <dates> > + <discovery>2023-12-05</discovery> > + <entry>2023-12-05</entry> > + </dates> > + </vuln> > + > <vuln vid="f25a34b1-910d-11ee-a1a2-641c67a117d8"> > <topic>varnish -- HTTP/2 Rapid Reset Attack</topic> > <affects> -- Dan Langille dan@langille.org