svn commit: r44311 - head/en_US.ISO8859-1/books/handbook/security

Dru Lavigne dru at FreeBSD.org
Fri Mar 21 17:25:31 UTC 2014


Author: dru
Date: Fri Mar 21 17:25:31 2014
New Revision: 44311
URL: http://svnweb.freebsd.org/changeset/doc/44311

Log:
  Update example Security Advisory and its descriptions.
  Next commit will add to the introduction of this section.
  
  Sponsored by: iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri Mar 21 16:12:49 2014	(r44310)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri Mar 21 17:25:31 2014	(r44311)
@@ -3183,66 +3183,178 @@ You are advised to update or deinstall t
     <sect2>
       <title>What Does an Advisory Look Like?</title>
 
-      <para>&os; security advisories use the format seen in this
-	example:</para>
+      <para>Here is an example of a &os; security advisory:</para>
 
       <programlisting>=============================================================================
-FreeBSD-SA-XX:XX.UTIL                                       Security Advisory
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:04.bind                                       Security Advisory
                                                           The FreeBSD Project
 
-Topic:          denial of service due to some problem <co xml:id="co-topic"/>
+Topic:          BIND remote denial of service vulnerability
 
-Category:       core <co xml:id="co-category"/>
-Module:         sys <co xml:id="co-module"/>
-Announced:      2003-09-23 <co xml:id="co-announce"/>
-Credits:        Person <co xml:id="co-credit"/>
-Affects:        All releases of &os; <co xml:id="co-affects"/>
-                &os; 4-STABLE prior to the correction date
-Corrected:      2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
-                2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
-                2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
-                2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
-                2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
-                2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
-                2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
-                2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
-                2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39) <co xml:id="co-corrected"/>
-<acronym>CVE</acronym> Name:       CVE-XXXX-XXXX <co xml:id="co-cve"/>
+Category:       contrib
+Module:         bind
+Announced:      2014-01-14
+Credits:        ISC
+Affects:        FreeBSD 8.x and FreeBSD 9.x
+Corrected:      2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE)
+                2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+                2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+                2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE)
+                2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+                2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+CVE Name:       CVE-2014-0591
 
 For general information regarding FreeBSD Security Advisories,
 including descriptions of the fields above, security branches, and the
-following sections, please visit
-http://www.FreeBSD.org/security/.
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+II.  Problem Description
+
+Because of a defect in handling queries for NSEC3-signed zones, BIND can
+crash with an "INSIST" failure in name.c when processing queries possessing
+certain properties.  This issue only affects authoritative nameservers with
+at least one NSEC3-signed zone.  Recursive-only servers are not at risk.
+
+III. Impact
+
+An attacker who can send a specially crafted query could cause named(8)
+to crash, resulting in a denial of service.
+
+IV.  Workaround
+
+No workaround is available, but systems not running authoritative DNS service
+with at least one NSEC3-signed zone using named(8) are not vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
 
-I.   Background <co xml:id="co-backround"/>
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
 
+[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE]
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc
+# gpg --verify bind-release.patch.asc
 
-II.  Problem Description <co xml:id="co-descript"/>
+[FreeBSD 9.2-STABLE]
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc
+# gpg --verify bind-stable-9.patch.asc
 
+b) Execute the following commands as root:
 
-III. Impact <co xml:id="co-impact"/>
+# cd /usr/src
+# patch < /path/to/patch
 
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
 
-IV.  Workaround <co xml:id="co-workaround"/>
+Restart the applicable daemons, or reboot the system.
 
+3) To update your vulnerable system via a binary patch:
 
-V.   Solution <co xml:id="co-solution"/>
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
 
+# freebsd-update fetch
+# freebsd-update install
 
-VI.  Correction details <co xml:id="co-details"/>
+VI.  Correction details
 
+The following list contains the correction revision numbers for each
+affected branch.
 
-VII. References <co xml:id="co-ref"/></programlisting>
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r260646
+releng/8.3/                                                       r260647
+releng/8.4/                                                       r260647
+stable/9/                                                         r260646
+releng/9.1/                                                       r260647
+releng/9.2/                                                       r260647
+- -------------------------------------------------------------------------
 
-      <calloutlist>
-	<callout arearefs="co-topic">
-	  <para>The <literal>Topic</literal> field specifies the
-	    problem.  It provides an introduction to the security
-	    advisory and notes the utility affected by the
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://kb.isc.org/article/AA-01078>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG
+ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO
+XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg
+ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG
+9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5
+fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua
+OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb
+zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag
+Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm
+067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq
+7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO
+UWWemqWuz3lAZuORQ9KX
+=OQzQ
+-----END PGP SIGNATURE-----</programlisting>
+
+      <para>Every security advisory uses the following format:</para>
+
+      <itemizedlist>
+	<listitem>
+	  <para>Each security advisory is signed by the
+	    <acronym>PGP</acronym> key of the Security Officer.  The
+	    public key for the Security Officer can be verified at
+	    <xref linkend="pgpkeys"/>.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The name of the security advisory always begins with
+	    <literal>FreeBSD-SA-</literal> (for FreeBSD Security
+	    Advisory), followed by the year in two digit format
+	    (<literal>14:</literal>), followed by the advisory number
+	    for that year (<literal>04.</literal>), followed by the
+	    name of the affected application or subsystem
+	    (<literal>bind</literal>).  The advisory shown here is the
+	    fourth advisory for 2014 and it affects
+	    <application>BIND</application>.</para>
+	</listitem>
+
+	<listitem>
+	<para>The <literal>Topic</literal> field summarizes the
 	    vulnerability.</para>
-	</callout>
+	</listitem>
 
-	<callout arearefs="co-category">
+	<listitem>
 	  <para>The <literal>Category</literal> refers to the
 	    affected part of the system which may be one of
 	    <literal>core</literal>, <literal>contrib</literal>, or
@@ -3250,113 +3362,95 @@ VII. References <co xml:id="co-ref"/></p
 	    category means that the vulnerability affects a core
 	    component of the &os; operating system.  The
 	    <literal>contrib</literal> category means that the
-	    vulnerability affects software contributed to the &os;
-	    Project, such as <application>Sendmail</application>.
+	    vulnerability affects software included with  &os;,
+	    such as <application>BIND</application>.
 	    The <literal>ports</literal> category indicates that the
-	    vulnerability affects add on software available through
+	    vulnerability affects software available through
 	    the Ports Collection.</para>
-	</callout>
+	</listitem>
 
-	<callout arearefs="co-module">
+	<listitem>
 	  <para>The <literal>Module</literal> field refers to the
 	    component location.  In this example, the
-	    <literal>sys</literal> module is affected; therefore, this
-	    vulnerability affects a component used within the
-	    kernel.</para>
-	</callout>
+	    <literal>bind</literal> module is affected; therefore, this
+	    vulnerability affects an application installed with the
+	    operating system.</para>
+	</listitem>
 
-	<callout arearefs="co-announce">
+	<listitem>
 	  <para>The <literal>Announced</literal> field reflects the
-	    date the security advisory was published, or announced
-	    to the world.  This means that the security team has
+	    date the security advisory was published.  This means
+	    that the security team has
 	    verified that the problem exists and that a patch has
 	    been committed to the &os; source code repository.</para>
-	</callout>
+	</listitem>
 
-	<callout arearefs="co-credit">
+	<listitem>
 	  <para>The <literal>Credits</literal> field gives credit to
 	    the individual or organization who noticed the
 	    vulnerability and reported it.</para>
-	</callout>
+	</listitem>
 
-	<callout arearefs="co-affects">
+	<listitem>
 	  <para>The <literal>Affects</literal> field explains which
-	    releases of &os; are affected by this vulnerability.
-	    For the kernel, a quick look over the output from
-	    &man.ident.1; on the affected files will help in
-	    determining the revision.  For ports, the version number
-	    is listed after the port name in <filename>/var/db/pkg</filename>.  If the
-	    system does not sync with the &os; Subversion repository
-	    and is not rebuilt daily, chances are that it is
-	    affected.</para>
-	</callout>
+	    releases of &os; are affected by this vulnerability.</para>
+	  </listitem>
 
-	<callout arearefs="co-corrected">
+	<listitem>
 	  <para>The <literal>Corrected</literal> field indicates the
-	    date, time, time offset, and release that was
+	    date, time, time offset, and releases that were
 	    corrected.</para>
-	</callout>
+	</listitem>
 
-	<callout arearefs="co-cve">
-	  <para>Reserved for the identification information used to
-	    look up vulnerabilities in the <link xlink:href="http://cve.mitre.org">Common Vulnerabilities
-	      and Exposures</link> database.</para>
-	</callout>
-
-	<callout arearefs="co-backround">
-	  <para>The <literal>Background</literal> field gives
-	    information about the affected utility.  Most of the time
-	    this is why the utility exists in &os;, what it is used
-	    for, and a bit of information on how the utility came to
-	    be.</para>
-	</callout>
+	<listitem>
+	  <para>The <literal>CVE Name</literal> field lists the
+	    advisory number, if one exists, in the public <link
+	      xlink:href="http://cve.mitre.org">cve.mitre.org</link>
+	    security vulnerabilities database.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>Background</literal> field provides a
+	    description of the affected module.</para>
+	</listitem>
 
-	<callout arearefs="co-descript">
+	<listitem>
 	  <para>The <literal>Problem Description</literal> field
-	    explains the security hole in depth.  This can include
-	    information on flawed code, or even how the utility
-	    could be maliciously used to open a security hole.</para>
-	</callout>
+	    explains the vulnerability.  This can include
+	    information about the flawed code and how the utility
+	    could be maliciously used.</para>
+	</listitem>
 
-	<callout arearefs="co-impact">
+	<listitem>
 	  <para>The <literal>Impact</literal> field describes what
-	    type of impact the problem could have on a system.  For
-	    example, this could be anything from a denial of service
-	    attack, to extra privileges available to users, or even
-	    giving the attacker superuser access.</para>
-	</callout>
-
-	<callout arearefs="co-workaround">
-	  <para>The <literal>Workaround</literal> field offers a
-	    workaround to system administrators who cannot
-	    upgrade the system due to time constraints, network
-	    availability, or other reasons.  Security should not be
-	    taken lightly, and an affected system should either be
-	    patched or the workaround implemented.</para>
-	</callout>
+	    type of impact the problem could have on a system.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>Workaround</literal> field indicates if
+	    a workaround is available to system administrators who cannot
+	    immediately patch the system .</para>
+	</listitem>
 
-	<callout arearefs="co-solution">
-	  <para>The <literal>Solution</literal> field offers
+	<listitem>
+	  <para>The <literal>Solution</literal> field provides the
 	    instructions for patching the affected system.  This is a
 	    step by step tested and verified method for getting a
 	    system patched and working securely.</para>
-	</callout>
+	</listitem>
 
-	<callout arearefs="co-details">
+	<listitem>
 	  <para>The <literal>Correction Details</literal> field
-	    displays the Subversion branch or release name with the
-	    periods changed to underscore characters.  It also shows
-	    the revision number of the affected files within each
-	    branch.</para>
-	</callout>
-
-	<callout arearefs="co-ref">
-	  <para>The <literal>References</literal> field usually
-	    offers sources of other information.  This can include
-	    web <acronym>URL</acronym>s, books, mailing lists, and
-	    newsgroups.</para>
-	</callout>
-      </calloutlist>
+	    displays each affected Subversion branch with
+	    the revision number that contains the corrected code.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>References</literal> field
+	    offers sources of additional information regarding the
+	    vulnerability.</para>
+	</listitem>
+      </itemizedlist>
     </sect2>
   </sect1>
 


More information about the svn-doc-all mailing list