svn commit: r44311 - head/en_US.ISO8859-1/books/handbook/security

Dru Lavigne dru at
Fri Mar 21 17:25:31 UTC 2014

Author: dru
Date: Fri Mar 21 17:25:31 2014
New Revision: 44311

  Update example Security Advisory and its descriptions.
  Next commit will add to the introduction of this section.
  Sponsored by: iXsystems


Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri Mar 21 16:12:49 2014	(r44310)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri Mar 21 17:25:31 2014	(r44311)
@@ -3183,66 +3183,178 @@ You are advised to update or deinstall t
       <title>What Does an Advisory Look Like?</title>
-      <para>&os; security advisories use the format seen in this
-	example:</para>
+      <para>Here is an example of a &os; security advisory:</para>
-FreeBSD-SA-XX:XX.UTIL                                       Security Advisory
+Hash: SHA512
+FreeBSD-SA-14:04.bind                                       Security Advisory
                                                           The FreeBSD Project
-Topic:          denial of service due to some problem <co xml:id="co-topic"/>
+Topic:          BIND remote denial of service vulnerability
-Category:       core <co xml:id="co-category"/>
-Module:         sys <co xml:id="co-module"/>
-Announced:      2003-09-23 <co xml:id="co-announce"/>
-Credits:        Person <co xml:id="co-credit"/>
-Affects:        All releases of &os; <co xml:id="co-affects"/>
-                &os; 4-STABLE prior to the correction date
-Corrected:      2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
-                2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
-                2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
-                2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
-                2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
-                2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
-                2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
-                2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
-                2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39) <co xml:id="co-corrected"/>
-<acronym>CVE</acronym> Name:       CVE-XXXX-XXXX <co xml:id="co-cve"/>
+Category:       contrib
+Module:         bind
+Announced:      2014-01-14
+Credits:        ISC
+Affects:        FreeBSD 8.x and FreeBSD 9.x
+Corrected:      2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE)
+                2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+                2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+                2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE)
+                2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+                2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+CVE Name:       CVE-2014-0591
 For general information regarding FreeBSD Security Advisories,
 including descriptions of the fields above, security branches, and the
-following sections, please visit
+following sections, please visit <URL:>.
+I.   Background
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+II.  Problem Description
+Because of a defect in handling queries for NSEC3-signed zones, BIND can
+crash with an "INSIST" failure in name.c when processing queries possessing
+certain properties.  This issue only affects authoritative nameservers with
+at least one NSEC3-signed zone.  Recursive-only servers are not at risk.
+III. Impact
+An attacker who can send a specially crafted query could cause named(8)
+to crash, resulting in a denial of service.
+IV.  Workaround
+No workaround is available, but systems not running authoritative DNS service
+with at least one NSEC3-signed zone using named(8) are not vulnerable.
+V.   Solution
+Perform one of the following:
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+2) To update your vulnerable system via a source code patch:
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
-I.   Background <co xml:id="co-backround"/>
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE]
+# fetch
+# fetch
+# gpg --verify bind-release.patch.asc
-II.  Problem Description <co xml:id="co-descript"/>
+[FreeBSD 9.2-STABLE]
+# fetch
+# fetch
+# gpg --verify bind-stable-9.patch.asc
+b) Execute the following commands as root:
-III. Impact <co xml:id="co-impact"/>
+# cd /usr/src
+# patch < /path/to/patch
+Recompile the operating system using buildworld and installworld as
+described in <URL:>.
-IV.  Workaround <co xml:id="co-workaround"/>
+Restart the applicable daemons, or reboot the system.
+3) To update your vulnerable system via a binary patch:
-V.   Solution <co xml:id="co-solution"/>
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+# freebsd-update fetch
+# freebsd-update install
-VI.  Correction details <co xml:id="co-details"/>
+VI.  Correction details
+The following list contains the correction revision numbers for each
+affected branch.
-VII. References <co xml:id="co-ref"/></programlisting>
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r260646
+releng/8.3/                                                       r260647
+releng/8.4/                                                       r260647
+stable/9/                                                         r260646
+releng/9.1/                                                       r260647
+releng/9.2/                                                       r260647
+- -------------------------------------------------------------------------
-      <calloutlist>
-	<callout arearefs="co-topic">
-	  <para>The <literal>Topic</literal> field specifies the
-	    problem.  It provides an introduction to the security
-	    advisory and notes the utility affected by the
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+# svn diff -cNNNNNN --summarize svn://
+Or visit the following URL, replacing NNNNNN with the revision number:
+VII. References
+The latest revision of this advisory is available at
+-----END PGP SIGNATURE-----</programlisting>
+      <para>Every security advisory uses the following format:</para>
+      <itemizedlist>
+	<listitem>
+	  <para>Each security advisory is signed by the
+	    <acronym>PGP</acronym> key of the Security Officer.  The
+	    public key for the Security Officer can be verified at
+	    <xref linkend="pgpkeys"/>.</para>
+	</listitem>
+	<listitem>
+	  <para>The name of the security advisory always begins with
+	    <literal>FreeBSD-SA-</literal> (for FreeBSD Security
+	    Advisory), followed by the year in two digit format
+	    (<literal>14:</literal>), followed by the advisory number
+	    for that year (<literal>04.</literal>), followed by the
+	    name of the affected application or subsystem
+	    (<literal>bind</literal>).  The advisory shown here is the
+	    fourth advisory for 2014 and it affects
+	    <application>BIND</application>.</para>
+	</listitem>
+	<listitem>
+	<para>The <literal>Topic</literal> field summarizes the
-	</callout>
+	</listitem>
-	<callout arearefs="co-category">
+	<listitem>
 	  <para>The <literal>Category</literal> refers to the
 	    affected part of the system which may be one of
 	    <literal>core</literal>, <literal>contrib</literal>, or
@@ -3250,113 +3362,95 @@ VII. References <co xml:id="co-ref"/></p
 	    category means that the vulnerability affects a core
 	    component of the &os; operating system.  The
 	    <literal>contrib</literal> category means that the
-	    vulnerability affects software contributed to the &os;
-	    Project, such as <application>Sendmail</application>.
+	    vulnerability affects software included with  &os;,
+	    such as <application>BIND</application>.
 	    The <literal>ports</literal> category indicates that the
-	    vulnerability affects add on software available through
+	    vulnerability affects software available through
 	    the Ports Collection.</para>
-	</callout>
+	</listitem>
-	<callout arearefs="co-module">
+	<listitem>
 	  <para>The <literal>Module</literal> field refers to the
 	    component location.  In this example, the
-	    <literal>sys</literal> module is affected; therefore, this
-	    vulnerability affects a component used within the
-	    kernel.</para>
-	</callout>
+	    <literal>bind</literal> module is affected; therefore, this
+	    vulnerability affects an application installed with the
+	    operating system.</para>
+	</listitem>
-	<callout arearefs="co-announce">
+	<listitem>
 	  <para>The <literal>Announced</literal> field reflects the
-	    date the security advisory was published, or announced
-	    to the world.  This means that the security team has
+	    date the security advisory was published.  This means
+	    that the security team has
 	    verified that the problem exists and that a patch has
 	    been committed to the &os; source code repository.</para>
-	</callout>
+	</listitem>
-	<callout arearefs="co-credit">
+	<listitem>
 	  <para>The <literal>Credits</literal> field gives credit to
 	    the individual or organization who noticed the
 	    vulnerability and reported it.</para>
-	</callout>
+	</listitem>
-	<callout arearefs="co-affects">
+	<listitem>
 	  <para>The <literal>Affects</literal> field explains which
-	    releases of &os; are affected by this vulnerability.
-	    For the kernel, a quick look over the output from
-	    &man.ident.1; on the affected files will help in
-	    determining the revision.  For ports, the version number
-	    is listed after the port name in <filename>/var/db/pkg</filename>.  If the
-	    system does not sync with the &os; Subversion repository
-	    and is not rebuilt daily, chances are that it is
-	    affected.</para>
-	</callout>
+	    releases of &os; are affected by this vulnerability.</para>
+	  </listitem>
-	<callout arearefs="co-corrected">
+	<listitem>
 	  <para>The <literal>Corrected</literal> field indicates the
-	    date, time, time offset, and release that was
+	    date, time, time offset, and releases that were
-	</callout>
+	</listitem>
-	<callout arearefs="co-cve">
-	  <para>Reserved for the identification information used to
-	    look up vulnerabilities in the <link xlink:href="">Common Vulnerabilities
-	      and Exposures</link> database.</para>
-	</callout>
-	<callout arearefs="co-backround">
-	  <para>The <literal>Background</literal> field gives
-	    information about the affected utility.  Most of the time
-	    this is why the utility exists in &os;, what it is used
-	    for, and a bit of information on how the utility came to
-	    be.</para>
-	</callout>
+	<listitem>
+	  <para>The <literal>CVE Name</literal> field lists the
+	    advisory number, if one exists, in the public <link
+	      xlink:href=""></link>
+	    security vulnerabilities database.</para>
+	</listitem>
+	<listitem>
+	  <para>The <literal>Background</literal> field provides a
+	    description of the affected module.</para>
+	</listitem>
-	<callout arearefs="co-descript">
+	<listitem>
 	  <para>The <literal>Problem Description</literal> field
-	    explains the security hole in depth.  This can include
-	    information on flawed code, or even how the utility
-	    could be maliciously used to open a security hole.</para>
-	</callout>
+	    explains the vulnerability.  This can include
+	    information about the flawed code and how the utility
+	    could be maliciously used.</para>
+	</listitem>
-	<callout arearefs="co-impact">
+	<listitem>
 	  <para>The <literal>Impact</literal> field describes what
-	    type of impact the problem could have on a system.  For
-	    example, this could be anything from a denial of service
-	    attack, to extra privileges available to users, or even
-	    giving the attacker superuser access.</para>
-	</callout>
-	<callout arearefs="co-workaround">
-	  <para>The <literal>Workaround</literal> field offers a
-	    workaround to system administrators who cannot
-	    upgrade the system due to time constraints, network
-	    availability, or other reasons.  Security should not be
-	    taken lightly, and an affected system should either be
-	    patched or the workaround implemented.</para>
-	</callout>
+	    type of impact the problem could have on a system.</para>
+	</listitem>
+	<listitem>
+	  <para>The <literal>Workaround</literal> field indicates if
+	    a workaround is available to system administrators who cannot
+	    immediately patch the system .</para>
+	</listitem>
-	<callout arearefs="co-solution">
-	  <para>The <literal>Solution</literal> field offers
+	<listitem>
+	  <para>The <literal>Solution</literal> field provides the
 	    instructions for patching the affected system.  This is a
 	    step by step tested and verified method for getting a
 	    system patched and working securely.</para>
-	</callout>
+	</listitem>
-	<callout arearefs="co-details">
+	<listitem>
 	  <para>The <literal>Correction Details</literal> field
-	    displays the Subversion branch or release name with the
-	    periods changed to underscore characters.  It also shows
-	    the revision number of the affected files within each
-	    branch.</para>
-	</callout>
-	<callout arearefs="co-ref">
-	  <para>The <literal>References</literal> field usually
-	    offers sources of other information.  This can include
-	    web <acronym>URL</acronym>s, books, mailing lists, and
-	    newsgroups.</para>
-	</callout>
-      </calloutlist>
+	    displays each affected Subversion branch with
+	    the revision number that contains the corrected code.</para>
+	</listitem>
+	<listitem>
+	  <para>The <literal>References</literal> field
+	    offers sources of additional information regarding the
+	    vulnerability.</para>
+	</listitem>
+      </itemizedlist>

More information about the svn-doc-all mailing list