FreeBSD Security Advisory FreeBSD-SA-14:30.unbound

Pasi Koivisto pasi at kanalje.se
Wed Dec 17 15:32:49 UTC 2014 

Hi, I am curios why the installer wants to delete "/".

This is from when I ran the update:

[root at seed ~]# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... none found.
Fetching metadata signature for 10.1-RELEASE from update.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 5 patches... done.
Applying patches... done.
Fetching 10 files... done.

The following files will be removed as part of updating to 10.1-RELEASE-p2:
/

The following files will be updated as part of updating to 10.1-RELEASE-p2:
/bin/freebsd-version
/usr/lib/private/libunbound.a
/usr/lib/private/libunbound.so.5
/usr/lib/private/libunbound_p.a
/usr/lib32/libc.a
/usr/lib32/libc.so.7
/usr/lib32/libc_p.a
/usr/lib32/libc_pic.a
/usr/lib32/libmagic.a
/usr/lib32/libmagic.so.4
/usr/lib32/libmagic_p.a
/usr/lib32/private/libunbound.a
/usr/lib32/private/libunbound.so.5
/usr/lib32/private/libunbound_p.a
/usr/sbin/unbound

[root at seed ~]# freebsd-update install
Installing updates...rmdir: ///: Is a directory
 done.

On a consequent reboot and running freebsd-update fetch again

[root at seed ~]# freebsd-version 
10.1-RELEASE-p2
[root at seed ~]# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... none found.
Fetching metadata signature for 10.1-RELEASE from update.FreeBSD.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

The following files will be removed as part of updating to 10.1-RELEASE-p2:
/
[root at seed ~]# 


> On 17 Dec 2014, at 09:36, FreeBSD Security Advisories <security-advisories at freebsd.org> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> =============================================================================
> FreeBSD-SA-14:30.unbound                                    Security Advisory
>                                                          The FreeBSD Project
> 
> Topic:          unbound remote denial of service vulnerability
> 
> Category:       contrib
> Module:         unbound
> Announced:      2014-12-17
> Affects:        FreeBSD 10.0-RELEASE and later
> Credits:        Florian Maury (ANSSI)
> Corrected:      2014-12-17 06:58:00 UTC (stable/10, 10.1-STABLE)
>                2014-12-17 06:59:47 UTC (releng/10.1, 10.1-RELEASE-p2)
>                2014-12-17 06:59:47 UTC (releng/10.0, 10.0-RELEASE-p14)
> CVE Name:       CVE-2014-8602
> 
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
> 
> I.   Background
> 
> Unbound is a validating, recursive, and caching DNS resolver.
> 
> II.  Problem Description
> 
> By causing queries to be made against a maliciously-constructed zone or
> against a malicious DNS server, an attacker who is able to cause
> specific queries to be sent to a nameserver can trick unbound(8) resolver
> into following an endless series of delegations, which consumes a lot of
> resources.
> 
> III. Impact
> 
> Unbound will spend a lot of resources on this query, and this will impact
> unbound's CPU and network resources.  Unbound may therefore lose some
> ability or timelines for the service of customer queries (a denial of
> service).  Unbound will continue to respond normally for cached queries.
> 
> IV.  Workaround
> 
> No workaround is available, but hosts not running unbound(8) are not
> vulnerable.
> 
> V.   Solution
> 
> Perform one of the following:
> 
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
> 
> 2) To update your vulnerable system via a binary patch:
> 
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
> 
> # freebsd-update fetch
> # freebsd-update install
> 
> 3) To update your vulnerable system via a source code patch:
> 
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
> 
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
> 
> [FreeBSD 10.x]
> # fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch
> # fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch.asc
> # gpg --verify unbound.patch.asc
> 
> b) Apply the patch.  Execute the following commands as root:
> 
> # cd /usr/src
> # patch < /path/to/patch
> 
> c) Recompile the operating system using buildworld and installworld as
> described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
> 
> Restart the unbound(8) daemons, or reboot the system.
> 
> VI.  Correction details
> 
> The following list contains the correction revision numbers for each
> affected branch.
> 
> Branch/path                                                      Revision
> - -------------------------------------------------------------------------
> stable/10/                                                        r275853
> releng/10.0/                                                      r275854
> releng/10.1/                                                      r275854
> - -------------------------------------------------------------------------
> 
> To see which files were modified by a particular revision, run the
> following command, replacing NNNNNN with the revision number, on a
> machine with Subversion installed:
> 
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
> 
> Or visit the following URL, replacing NNNNNN with the revision number:
> 
> <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
> 
> VII. References
> 
> <URL:https://unbound.net/downloads/CVE-2014-8602.txt>
> 
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8602>
> 
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-14:30.unbound.asc>
> -----BEGIN PGP SIGNATURE-----
> 
> iQIcBAEBCgAGBQJUkTg1AAoJEO1n7NZdz2rn+iUP/3RP0KKn8B2SnSpSLbXws/eY
> GEOTYEsZJpGTtCyIg5eKmJ/AU7dKiD34da2uaL41Lt4hWa/Icyk13CtV6cK9TfN4
> oSrrgDCbqErrFh74lhQX3v3bYHNMhZRVnaM9tHXHmpa9NAKhyTP+eyo+Ss7iK/am
> lVBW2xPv92OKyjo0Onp5h3o5QT6DHpPgW91f9He4GygYfShMXtOb+VhGpllxwbeM
> aS59yPkhGJLVhxQn2QtFpj67QxS5GIhK6iccwrRKo8Okij2mlRfR4fuD5Ol4L9TK
> sZKMGtgESPLGmfW1Pj/BRobyCWcs+cYLchZkxbomQBcH7ybpOMW+SqTB0FkZcscU
> ODMzvum2VZuSl5fAlu3F6V0/k+8cFiE4B/Xyioqa8aRsfYNfWjoETmfE7ld+zXqX
> 8cPizwGYdsuO4g6mNS0HFuuexkJem9qviRfnQUQ/EJQPNfXB33GYBoFquE0mvFUO
> WN5QiietSnNp4/TF+BjXlaeo/PtO+Q8xIdqgdSzouslx95a4j3N127k8Yoz55Nx+
> 3mEeqvZRf5/7ieIgyHti/v/xKZOyGCs6NwlZ6xN+0kanNqMDfjpKnfzTJnnSTbj6
> z6FCzXn986EqL8kpJisKZEJfntvZu4ft/KUo4qzZAtuNgnoUGFYXv5DfQrM75ZJ/
> 9PFQzCA+8snPiCyUhAaC
> =fkvr
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security-notifications at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
> To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list