FreeBSD-SA-10:03.zfs

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:03.zfs                                        Security Advisory
The FreeBSD Project

Topic:          ZFS ZIL playback with insecure permissions

Category:       contrib
Module:         zfs
Announced:      2010-01-06
Credits:        Pawel Jakub Dawidek
Affects:        FreeBSD 7.0 and later.
Corrected:      2009-11-14 11:59:59 UTC (RELENG_8, 8.0-STABLE)
2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2)
2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE)
2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6)
2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

ZFS is a file-system originally developed by Sun Microsystems.

The ZFS Intent Log (“ZIL”) is a mechanism that gathers together in memory
transactions of writes, and is flushed onto disk when synchronous
semantics is necessary.  In the event of crash or power failure, the
log is examined and the uncommitted transaction would be replayed to
maintain the synchronous semantics.

II.  Problem Description

When replaying setattr transaction, the replay code would set the
attributes with certain insecure defaults, when the logged
transaction did not touch these attributes.

III. Impact

A system crash or power fail would leave some file with mode set
to 07777.  This could leak sensitive information or cause privilege
escalation.

IV.  Workaround

No workaround is available, but systems not using ZFS are not
vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 7.1, 7.2,
and 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-10:03/zfs712.patch
# fetch http://security.FreeBSD.org/patches/SA-10:03/zfs712.patch.asc

[FreeBSD 8.0]
# fetch http://security.FreeBSD.org/patches/SA-10:03/zfs.patch
# fetch http://security.FreeBSD.org/patches/SA-10:03/zfs.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

3) Examine the system and look for affected files.

These files can be identified with the following command:

# find / -perm -7777 -print0 | xargs -0 ls -ld

The system administrator will have to correct these problems if there
is any files with such permission modes.  For example:

# find / -perm -7777 -print0 | xargs -0 chmod u=rwx,go=

Will reset access mode bits to be readable, writable and executable
by the owner only.  The system administrator should determine the
appropriate mode bits wisely.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_7
src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.6.2.3
RELENG_7_2
src/UPDATING                                             1.507.2.23.2.9
src/sys/conf/newvers.sh                                  1.72.2.11.2.10
src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c
1.6.2.1.4.1
RELENG_7_1
src/UPDATING                                            1.507.2.13.2.13
src/sys/conf/newvers.sh                                   1.72.2.9.2.14
src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c
1.6.2.1.2.1
RELENG_8
src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.8.2.2
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.5
src/sys/conf/newvers.sh                                    1.83.2.6.2.5
src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.8.4.1
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r201679
releng/7.2/                                                       r201679
releng/7.1/                                                       r201679
stable/8/                                                         r199266
releng/8.0/                                                       r201679
head/                                                             r199157
– ————————————————————————-

VII. References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:03.zfs.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)

iD8DBQFLRRILFdaIBMps37IRAnI3AJ9ioK1Bbg++DpPYW/RX9wnujAeJxACff+Ph
oEIfaiJ5y/DoGhklcAJdXTU=
=JPje
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-10:03.zfs.asc

FreeBSD-SA-10:02.ntpd

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:02.ntpd                                       Security Advisory
The FreeBSD Project

Topic:          ntpd mode 7 denial of service

Category:       contrib
Module:         ntpd
Announced:      2010-01-06
Affects:        All supported versions of FreeBSD.
Corrected:      2010-01-06 21:45:30 UTC (RELENG_8, 8.0-STABLE)
2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2)
2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE)
2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6)
2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10)
2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE)
2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9)
2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15)
CVE Name:       CVE-2009-3563

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.

II.  Problem Description

If ntpd receives a mode 7 (MODE_PRIVATE) request or error response
from a source address not listed in either a ‘restrict … noquery’
or a ‘restrict … ignore’ section it will log the even and send
a mode 7 error response.

III. Impact

If an attacker can spoof such a packet from a source IP of an affected
ntpd to the same or a different affected ntpd, the host(s) will endlessly
send error responses to each other and log each event, consuming network
bandwidth, CPU and possibly disk space.

IV.  Workaround

Proper filtering of mode 7 NTP packets by a firewall can limit the
number of systems used to attack your resources.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE,
or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or
RELENG_6_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, 7.2, and 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch
# fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/ntp/ntpd
# make obj && make depend && make && make install
# /etc/rc.d/ntpd restart

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_6
src/contrib/ntp/ntpd/ntp_request.c                          1.1.1.4.8.2
RELENG_6_4
src/UPDATING                                            1.416.2.40.2.13
src/sys/conf/newvers.sh                                  1.69.2.18.2.15
src/contrib/ntp/ntpd/ntp_request.c                      1.1.1.4.8.1.2.1
RELENG_6_3
src/UPDATING                                            1.416.2.37.2.20
src/sys/conf/newvers.sh                                  1.69.2.15.2.19
src/contrib/ntp/ntpd/ntp_request.c                         1.1.1.4.20.1
RELENG_7
src/contrib/ntp/ntpd/ntp_request.c                         1.1.1.4.18.2
RELENG_7_2
src/UPDATING                                             1.507.2.23.2.9
src/sys/conf/newvers.sh                                  1.72.2.11.2.10
src/contrib/ntp/ntpd/ntp_request.c                     1.1.1.4.18.1.4.1
RELENG_7_1
src/UPDATING                                            1.507.2.13.2.13
src/sys/conf/newvers.sh                                   1.72.2.9.2.14
src/contrib/ntp/ntpd/ntp_request.c                     1.1.1.4.18.1.2.1
RELENG_8
src/contrib/ntp/ntpd/ntp_request.c                              1.2.2.1
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.5
src/sys/conf/newvers.sh                                    1.83.2.6.2.5
src/contrib/ntp/ntpd/ntp_request.c                              1.2.4.1
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/6/                                                         r201679
releng/6.4/                                                       r201679
releng/6.3/                                                       r201679
stable/7/                                                         r201679
releng/7.2/                                                       r201679
releng/7.1/                                                       r201679
stable/8/                                                         r201679
releng/8.0/                                                       r201679
head/                                                             r200576
– ————————————————————————-

VII. References

http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode
https://support.ntp.org/bugs/show_bug.cgi?id=1331
http://www.kb.cert.org/vuls/id/568372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:02.ntpd.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)

iD8DBQFLRQ9gFdaIBMps37IRAuH1AJ9eOII8McK5332jhuBHEMxAUbWKNQCghYfs
y66+ElAr2uZrrXwerlVETPc=
=yJm1
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-10:02.ntpd.asc

FreeBSD-SA-10:01.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:01.bind                                       Security Advisory
The FreeBSD Project

Topic:          BIND named(8) cache poisoning with DNSSEC validation

Category:       contrib
Module:         bind
Announced:      2010-01-06
Credits:        Michael Sinatra
Affects:        All supported versions of FreeBSD.
Corrected:      2009-12-11 01:23:58 UTC (RELENG_8, 8.0-STABLE)
2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2)
2009-12-11 02:23:04 UTC (RELENG_7, 7.2-STABLE)
2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6)
2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10)
2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE)
2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9)
2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15)
CVE Name:       CVE-2009-4022

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.

II.  Problem Description

If a client requests DNSSEC records with the Checking Disabled (CD) flag
set, BIND may cache the unvalidated responses.  These responses may later
be returned to another client that has not set the CD flag.

III. Impact

If a client can send such queries to a server, it can exploit this
problem to mount a cache poisoning attack, seeding the cache with
unvalidated information.

IV.  Workaround

Disabling DNSSEC validation will prevent BIND from caching unvalidated
records, but also prevent DNSSEC authentication of records.  Systems not
using DNSSEC validation are not affected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE,
or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or
RELENG_6_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, 7.2, and 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.3]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch.asc

[FreeBSD 6.4]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch.asc

[FreeBSD 7.1]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch.asc

[FreeBSD 7.2]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch.asc

[FreeBSD 8.0]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart

NOTE WELL: Users running FreeBSD 6 and using DNSSEC are advised to get
a more recent BIND version with more complete DNSSEC support.  This
can be done either by upgrading to FreeBSD 7.x or later, or installing
BIND for the FreeBSD Ports Collection.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_6
src/contrib/bind9/lib/dns/rbtdb.c                           1.1.1.1.4.4
src/contrib/bind9/lib/dns/include/dns/types.h               1.1.1.1.4.2
src/contrib/bind9/lib/dns/resolver.c                       1.1.1.2.2.11
src/contrib/bind9/lib/dns/masterdump.c                      1.1.1.1.4.3
src/contrib/bind9/lib/dns/validator.c                       1.1.1.2.2.6
src/contrib/bind9/bin/named/query.c                         1.1.1.1.4.7
RELENG_6_4
src/UPDATING                                            1.416.2.40.2.13
src/sys/conf/newvers.sh                                  1.69.2.18.2.15
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.1.4.3.2.1
src/contrib/bind9/lib/dns/include/dns/types.h           1.1.1.1.4.1.4.1
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.2.2.9.2.1
src/contrib/bind9/lib/dns/masterdump.c                  1.1.1.1.4.1.4.1
src/contrib/bind9/lib/dns/validator.c                   1.1.1.2.2.4.2.1
src/contrib/bind9/bin/named/query.c                     1.1.1.1.4.5.2.1
RELENG_6_3
src/UPDATING                                            1.416.2.37.2.20
src/sys/conf/newvers.sh                                  1.69.2.15.2.19
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.1.4.2.2.1
src/contrib/bind9/lib/dns/include/dns/types.h           1.1.1.1.4.1.2.1
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.2.2.6.2.2
src/contrib/bind9/lib/dns/masterdump.c                  1.1.1.1.4.1.2.1
src/contrib/bind9/lib/dns/validator.c                   1.1.1.2.2.3.2.1
src/contrib/bind9/bin/named/query.c                     1.1.1.1.4.4.2.1
RELENG_7
src/contrib/bind9/lib/dns/rbtdb.c                           1.1.1.4.2.4
src/contrib/bind9/lib/dns/include/dns/types.h               1.1.1.3.2.2
src/contrib/bind9/lib/dns/resolver.c                        1.1.1.9.2.6
src/contrib/bind9/lib/dns/masterdump.c                      1.1.1.3.2.3
src/contrib/bind9/lib/dns/validator.c                       1.1.1.6.2.5
src/contrib/bind9/bin/named/query.c                         1.1.1.6.2.4
RELENG_7_2
src/UPDATING                                             1.507.2.23.2.9
src/sys/conf/newvers.sh                                  1.72.2.11.2.10
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.4.2.2.2.1
src/contrib/bind9/lib/dns/include/dns/types.h               1.1.1.3.8.1
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.9.2.4.2.1
src/contrib/bind9/lib/dns/masterdump.c                  1.1.1.3.2.1.2.1
src/contrib/bind9/lib/dns/validator.c                   1.1.1.6.2.3.2.1
src/contrib/bind9/bin/named/query.c                     1.1.1.6.2.2.2.1
RELENG_7_1
src/UPDATING                                            1.507.2.13.2.13
src/sys/conf/newvers.sh                                   1.72.2.9.2.14
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.4.2.1.4.1
src/contrib/bind9/lib/dns/include/dns/types.h               1.1.1.3.6.1
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.9.2.3.2.1
src/contrib/bind9/lib/dns/masterdump.c                      1.1.1.3.6.1
src/contrib/bind9/lib/dns/validator.c                   1.1.1.6.2.1.4.1
src/contrib/bind9/bin/named/query.c                     1.1.1.6.2.1.4.1
RELENG_8
src/contrib/bind9/lib/dns/rbtdb.c                               1.3.2.2
src/contrib/bind9/lib/dns/include/dns/types.h                   1.2.2.2
src/contrib/bind9/lib/dns/resolver.c                            1.6.2.2
src/contrib/bind9/lib/dns/masterdump.c                          1.3.2.2
src/contrib/bind9/lib/dns/validator.c                           1.4.2.2
src/contrib/bind9/bin/named/query.c                             1.3.2.2
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.5
src/sys/conf/newvers.sh                                    1.83.2.6.2.5
src/contrib/bind9/lib/dns/rbtdb.c                               1.3.4.1
src/contrib/bind9/lib/dns/include/dns/types.h                   1.2.4.1
src/contrib/bind9/lib/dns/resolver.c                            1.6.4.1
src/contrib/bind9/lib/dns/masterdump.c                          1.3.4.1
src/contrib/bind9/lib/dns/validator.c                           1.4.4.1
src/contrib/bind9/bin/named/query.c                             1.3.4.1
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/6/                                                         r200394
releng/6.4/                                                       r201679
releng/6.3/                                                       r201679
stable/7/                                                         r200393
releng/7.2/                                                       r201679
releng/7.1/                                                       r201679
stable/8/                                                         r200383
releng/8.0/                                                       r201679
head/                                                             r199958
– ————————————————————————-

VII. References

https://www.isc.org/node/504
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:01.bind.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)

iD8DBQFLRQ9dFdaIBMps37IRAip+AJ0S55AYqLsrwrLLMo8Qi6fGxoH7EQCfU/6K
RUb5Kn+O1qc/FUzEQ12AmrA=
=Pfoo
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-10:01.bind.asc