FreeBSD Security Advisory: Multiple problems in crypto(3) [revised]
cf24f2e129bca457df67226f2da481a6cd4cd412bc1dd50076f6b090a5725090FreeBSD Security Advisory FreeBSD-SA-04:17.procfs - The implementation of the /proc/curproc/cmdline pseudofile in the procfs(5) file system on FreeBSD 4.x and 5.x, and of the /proc/self/cmdline pseudofile in the linprocfs(5) file system on FreeBSD 5.x reads a process' argument vector from the process address space. During this operation, a pointer was dereferenced directly without the necessary validation steps being performed.
9172f91c6b027b6f7c743ba70a7c8f2026e861b105f1b6f5125ce2249481c20bFreeBSD Security Advisory FreeBSD-SA-04:16.fetch - The fetch utility suffers from an integer overflow condition in the processing of HTTP headers that can result in a buffer overflow.
6a018e23dd8de8d84de9f7d1f8a504a855c7a82a0f3059e216c48ef84a19658aFreeBSD Security Advisory FreeBSD-SA-04:15.syscons - The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of its input arguments. In particular, negative coordinates or large coordinates may cause unexpected behavior.
088af9d9dc40b2a466a18dea6a434c2f0859fe37e3f6919135f3ac37f610c117FreeBSD Security Advisory FreeBSD-SA-04:13.linux - A programming error in the handling of some Linux system calls may result in memory locations being accessed without proper validation under FreeBSD. All 4.x and 5.x releases are susceptible.
95b92b3471dd0e17e060ce2b12c19604cca3827443a6bfe6ad4fc2e0fa9df522FreeBSD Security Advisory FreeBSD-SA-04:11.msync - Programming errors in the implementation of the msync(2) system call involving the MS_INVALIDATE operation lead to cache consistency problems between the virtual memory system and on-disk contents. In some situations, a user with read access to a file may be able to prevent changes to that file from being committed to disk.
9b6d668eb3cd0d98e3221d430ab661e7250fbb287c53beec7fe79cda74993a1fFreeBSD Security Advisory FreeBSD-SA-04:06.ipv6 - Applications may manipulate the behavior of an IPv6 socket using the setsockopt(2) system call. This may allow a local attacker to read portions of kernel memory.
70e1c4c7ccbdf1b90bac831af83ac26a62adca45386ee48ac5f0dfdafab17978FreeBSD Security Advisory FreeBSD-SA-04:03.jail - A vulnerability has been found where jailed processes can attach to other jails. A programming error has been found in the jail_attach(2) system call which affects the way that system call verifies the privilege level of the calling process. Instead of failing immediately if the calling process was already jailed, the jail_attach(2) system call would fail only after changing the calling process's root directory.
639d6bd5793d142816eebc4131a6389ec9dc7aeb7fd4ad2a9e06d5e395084bfdFreeBSD Security Advisory FreeBSD-SA-04:02.shmat - A programming error in the shmat(2) system call can result in a shared memory segment's reference count being erroneously incremented. It may be possible to cause a shared memory segment to reference unallocated kernel memory, but remain valid. This could allow a local attacker to gain read or write access to a portion of kernel memory, resulting in sensitive information disclosure, bypass of access control mechanisms, or privilege escalation.
f7980b18cb45849dee668cc1f8462772ff11b36dfae7efe38bc3e239fcbc054cFreeBSD Security Advisory FreeBSD-SA-04:01.mksnap_ffs - The mksnap_ffs command creates a snapshot of a filesystem. A snapshot is a static representation of the state of the filesystem at a particular point in time. The kernel interface for creating a snapshot of a filesystem is the same as that for changing the flags on that filesystem. Due to an oversight, the mksnap_ffs command called that interface with only the snapshot flag set, causing all other flags to be reset to the default value.
21d89343ce81311419e74c853049b4efdadae48c42f81a69eb201acdb9334ee0FreeBSD Security Advisory FreeBSD-SA-03:19.bind - A programming error in BIND 8 named can allow an attacker the ability to arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain name. The name server would thereafter respond negatively to legitimate queries for that domain name, resulting in a denial-of-service for applications that require DNS. Affected versions are up to FreeBSD 4.9-RELEASE and 5.1-RELEASE.
de46a2eed27c50e9d58b35e42ad502868bd6b827919f08f4908ff0233d3c61fbOpenSSL below v0.9.7c contain remotely exploitable vulnerabilities. More information available here.
ea9866c77f76bacc238efbeb4e59592d6677f7874ecdf583c67cebfceb8fa68cFreeBSD Security Advisory FreeBSD-SA-03:15.openssh - New OpenSSH packages are available for FreeBSD that address the PAM challenge/authentication errors.
6e4998cbae69170e2d399cbbba472e154c366f931d2f49ebf93c40f5655800fcFreeBSD Security Advisory FreeBSD-SA-03:17.procfs - A malicious local user could arrange to use a negative or extremely large offset when reading from a procfs "file", causing a system crash, or causing the kernel to return a large portion of kernel memory.
95e6035f8a0720cdbb5f1dc7e6f3eaec332fcab7abca4a91304f917dc8a2abd8FreeBSD Security Advisory FreeBSD-SA-03:16.filedesc - A programming error in the readv system call can result in the given file descriptor's reference count being erroneously incremented. A local attacker may cause the operating system to crash by repeatedly calling readv on a file descriptor until the reference count wraps to a negative value, and then calling close on that file descriptor. Similarly, it may be possible to cause a file descriptor to reference unallocated kernel memory, but remain valid. If a new file is later opened and the kernel allocates the new file structure at the same memory location, then an attacker may be able to gain read or write access to that file. This may in turn lead to privilege escalation. This affects releases 4.3-RELEASE through 4.8 RELEASE.
d77bc848ba499127eb6972feeba3dbe40a919dde740117b4638758fd937de5daFreeBSD Security Advisory FreeBSD-SA-03:14.arp - Under certain circumstances, it is possible for an attacker to flood a FreeBSD system with spoofed ARP requests, causing resource starvation which eventually results in a system panic.
dde29ce8a88cf20ce908f5b73c17ed056e549898e79d57c425cc8cd42cc921c5FreeBSD Security Advisory FreeBSD-SA-03:11.sendmail - Some versions of sendmail (8.12.0 through 8.12.8) contain a programming error in the code that implements DNS maps. A malformed DNS reply packet may cause sendmail to crash its child process and may lead to further possible exploitation.
7f9899383fadb7f77206e97c56d7e465f51be51c5a9e5de02316b0f5c5ded77eFreeBSD Security Advisory FreeBSD-SA-03:09.signal - Systems with the device driver spigot added into the kernel configuration are susceptible to a denial of service attack due to improper validation of signal numbers.
c87f33e96c8be65778ca953502578c8425ff00101734e66ee8d4c460da100569FreeBSD Security Advisory FreeBSD-SA-03:10.ibcs2 - The iBCS2 system call translator for statfs(2) erroneously used the user-supplied length parameter when copying a kernel data structure into userland. If the length parameter were larger than required, then instead of copying only the statfs-related data structure, additional kernel memory would also be made available to the user. If iBCS2 support were enabled, a malicious user could call the iBCS2 version of statfs(2) with an arbitrarily large length parameter, causing the kernel to return a large portion of kernel memory.
2c9b5bbe17a8ffdc72ab9be9c1de622434f5b2edb34fe8252dc32db8f6d8db6dFreeBSD Security Advisory FreeBSD-SA-03:08.realpath - An off-by-one error exists in a portion of realpath(3) that computes the length of a resolved pathname. As a result, applications making use of realpath(3) may be vulnerable to denial of service attacks, remote code execution, and privilege escalation. A staggering amount of applications make use of this functionality, including but not limited to, sftp-server and lukemftpd.
c39b1f231af3aa6eed22527f9da4ecb48a71fe2b9222d7e38045c619b9534d99FreeBSD Security Advisory FreeBSD-SA-03:07 - A second remotely exploitable overflow was found in Sendmail header parsing. Upgrade to 8.12.9 to fix the vulnerability. Patch available here.
2020462d2c424be84d00d47dab2a8fee098fe1f39416fb76eb439652f8902a06FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail - ISS has identified a buffer overflow that may occur during header parsing in all versions of sendmail after version 5.79 through v8.12.7. Patch available here.
e0d20c1c42885c4e88ae0958325f7a669850164090a536ce78986cb7cdcc4514FreeBSD Security Advisory FreeBSD-SA-03:02 Version 1.1 - OpenSSL v0.9.6h and below contains a timing-based vulnerability in CBC ciphersuites in SSL and TLS which can recover fixed plaintext blocks, like a password.
7634649866247240fdacffa5096769ff57f23a2bb2ad63558ba33b0f1213c8dbFreeBSD Security Advisory FreeBSD-SA-03:03 - The FreeBSD syncookie implementation uses keys that are only 32 bits in length, allowing remote attackers to recover the ISN, which can be valid for up to four seconds, allowing ACL's to be bypassed and TCP connections forged. syncookies may be disabled using the 'net.inet.tcp.syncookies' sysctl(8) by running the following command as root: "sysctl net.inet.tcp.syncookies=0".
f1a19443f25751c44cb233a1222d580467975bb2b27cfee7560380c7d12c6f71FreeBSD Security Advisory FreeBSD-SA-03:01 - It has been found that the CVS server can be tricked to free memory more then once, which can be used for remote code execution. Additionally, the CVS server allowed clients with write access to specify arbitrary commands to execute as part of an update (update-prog) or commit (checkin-prog). This behavior has been restricted. This affects all FreeBSD versions prior to 4.6-RELEASE-p7, 4.7-RELEASE-p4 and 5.0-RELEASE-p1.
04676dcda11f1a243bf6290503b701850ff6c455eef9399e03ed4dc95e392be6
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed