FreeBSD Security Advisory - Multiple vulnerabilities have been discovered in the NTP suite.
33824530cddd9387168daf3f7afeba89dddbc5899597c45b606169369c028f6b
FreeBSD Security Advisory - A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to lack of sufficient bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode. This vulnerability could cause the kernel to panic. In addition it is possible to perform a local Denial of Service against the system by unprivileged processes.
8dbc7fc92ef7fd0b07935385aa28ec8cf4ddf66ffb142a9e6b451b9992efe0fc
FreeBSD Security Advisory - The implementation of bspatch does not check for a negative value on numbers of bytes read from the diff and extra streams, allowing an attacker who can control the patch file to write at arbitrary locations in the heap. This issue was first discovered by The Chromium Project and reported independently by Lu Tung-Pin to the FreeBSD project. An attacker who can control the patch file can cause a crash or run arbitrary code under the credentials of the user who runs bspatch, in many cases, root.
94be495aa94159d16c19228b849a936b7ff41d00262b82639c5ca19b61e52752
FreeBSD Security Advisory - Multiple vulnerabilities have been discovered in the NTP suite.
7ba3ed8ca1f5959e5da3cb8022a8fbaa3f5ef61c41ffb131bb3ba01f5feb470d
FreeBSD Security Advisory - The implementation of the TIOCGSERIAL ioctl(2) does not clear the output struct before copying it out to userland. The implementation of the Linux sysinfo() system call does not clear the output struct before copying it out to userland. An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.
6b27a6a1f473e7ec8c1d3d2d15e96112361176be54633c0fd438e73581a1ad54
FreeBSD Security Advisory - The cpio(1) tool from the libarchive(3) bundle is vulnerable to a directory traversal problem via absolute paths in an archive file. A malicious archive file being unpacked can overwrite an arbitrary file on a filesystem, if the owner of the cpio process has write access to it.
cce26b2a1835322695e6fff10188668916dff833800347947b8674400f19415d
FreeBSD Security Advisory - An integer signedness error in the archive_write_zip_data() function in archive_write_set_format_zip.c in libarchive(2) could lead to a buffer overflow on 64-bit machines. An attacker who can provide input of their choice for creating a ZIP archive can cause a buffer overflow in libarchive(2) that results in a core dump or possibly execution of arbitrary code provided by the attacker.
87a7f61237be219ef487e8ed9b0715b7f4968873a982c7e3f7783ca63eca8013
FreeBSD Security Advisory - The implementation of historic stat(2) system call does not clear the output struct before copying it out to userland. An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.
5aea37987852d0521df4d2905049a1846239ec7524662651c8d72205994223c8
FreeBSD Security Advisory - Incorrect argument handling in the socket code allows malicious local user to overwrite large portion of the kernel memory. Malicious local user may crash kernel or execute arbitrary code in the kernel, potentially gaining superuser privileges.
645db3fe4369fd21421c9b74273cd54e8fa721a229dc9fde4d52770ffac13ad6
FreeBSD Security Advisory - Incorrect signedness comparison in the ioctl(2) handler allows a malicious local user to overwrite a portion of the kernel memory. A local user may crash the kernel, read a portion of kernel memory and execute arbitrary code in kernel context. The result of executing an arbitrary kernel code is privilege escalation.
c7c48a6a99a2c6c01b08b27fe32854f8e9e9d8b0f9221e5d0765b78ae72824fc
FreeBSD Security Advisory - The padding check in AES-NI CBC MAC was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. [CVE-2016-2107] An overflow can occur in the EVP_EncodeUpdate() function which is used for Base64 encoding of binary data. [CVE-2016-2105] An overflow can occur in the EVP_EncryptUpdate() function, however it is believed that there can be no overflows in internal code due to this problem. [CVE-2016-2106] When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory. [CVE-2016-2109] ASN1 Strings that are over 1024 bytes can cause an overread in applications using the X509_NAME_oneline() function on EBCDIC systems. [CVE-2016-2176] FreeBSD does not run on any EBCDIC systems and therefore is not affected. A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. [CVE-2016-2107] If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. [CVE-2016-2105] Any application parsing untrusted data through d2i BIO functions are vulnerable to memory exhaustion attack. [CVE-2016-2109] TLS applications are not affected.
182b52531dd70de627d6fe99dbbd9fa0404b54c26fd1b7e6a5ebb96e63de362d
Core Security Technologies Advisory - An integer signedness error has been found in the amd64_set_ldt() function in the FreeBSD kernel code (define d in the /sys/amd64/amd64/sys_machdep.c file), which implements the i386_set_ldt system call on the amd64 version of the OS. This integer signedness issue ultimately leads to a heap overflow in the kernel, allowing local unprivileged attackers to crash the system. FreeBSD 10.2 amd64 is affected.
d41fcb2fcfd845b70a122e20b1cbd17e3b183211e307eaf35331480595a9fc22
FreeBSD Security Advisory - A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to invalid use of a signed intermediate value in the bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode. This vulnerability could cause the kernel to panic. In addition it is possible to perform a local Denial of Service against the system by unprivileged processes.
1b06a4a8fb40914b387a59838b891b91a1f57185e7bb078d76328e2d133bb85d
FreeBSD Security Advisory - Due to insufficient input validation in OpenSSH, a client which has permission to establish X11 forwarding sessions to a server can piggyback arbitrary shell commands on the data intended to be passed to the xauth tool. An attacker with valid credentials and permission to establish X11 forwarding sessions can bypass other restrictions which may have been placed on their account, for instance using ForceCommand directives in the server's configuration file.
d2574fbe9a392afc705b1b7d4182a37f52ec3bece6bca525cafffff285a229b1
FreeBSD Security Advisory - A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP3) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN. Various other issues were also addressed.
3dc25b95a3b0e894796bebc78d2c22db92393a6b8fa48106e84605e40b76a348
FreeBSD Security Advisory - Testing by ISC has uncovered a defect in control channel input handling which can cause named to exit due to an assertion failure in sexpr.c or alist.c when a malformed packet is sent to named's control channel (the interface which allows named to be controlled using the "rndc" server control utility). An error when parsing signature records for DNAME records having specific properties can lead to named exiting due to an assertion failure in resolver.c or db.c. A remote attacker can deliberately trigger the failed assertion if the DNS server accepts remote rndc commands regardless if authentication is configured. Note that this is not enabled by default. A remote attacker who can cause a server to make a query deliberately chosen to generate a response containing a signature record which would trigger a failed assertion and cause named to stop. Disabling DNSsec does not provide protection against this vulnerability.
511b0fffe4ca8e6584c5c8a182c7a5ff4bb7fa1f2086db6fc678849054b18a03
FreeBSD Security Advisory - A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. An active MITM attacker may be able to force a protocol downgrade to SSLv2, which is a flawed protocol and intercept the communication between client and server.
827e9ad8f6704f864f01a7b83b9a552d36a3e9f6236faf2b0176021619eee998
FreeBSD Security Advisory - A programming error in the Linux compatibility layer could cause the issetugid(2) system call to return incorrect information. If an application relies on output of the issetugid(2) system call and that information is incorrect, this could lead to a privilege escalation.
2462fca5abf2f3ca47e35945821727dadf6171021ac17e978ce0410a5ed2e46b
FreeBSD Security Advisory - Multiple vulnerabilities have been discovered in ntp 4.2.8p5.
0012bd57d2a8406dd32930fabf358096ce959163c75bbf46f91070e3e7c213d8
FreeBSD Security Advisory - There is an off-by-one error in a buffer size check when performing certain string formatting operations. Slaves using text-format db files could be vulnerable if receiving a malformed record in a zone transfer from their master. Masters using text-format db files could be vulnerable if they accept a malformed record in a DDNS update message. Recursive resolvers are potentially vulnerable when debug logging is enabled and if they are fed a deliberately malformed record by a malicious server. A server which has cached a specially constructed record could encounter this condition while performing 'rndc dumpdb'.
c803a5067169b0dd06a8b595f07a796ef604d725b2cec7e9041f63d8bdb30a0a
FreeBSD suffers from an SCTP ICMPv6 error processing denial of service vulnerability.
0e9739e6af079dbf01619289a6322ec59c79b437390fcdb866cdc2f4a91789c1
FreeBSD suffers from a bsnmpd information disclosure vulnerability.
30858a55de4d08a56a599bb420f85c65dae9f53454ef12c51314ce7d18ea9a53
FreeBSD Security Advisory - The OpenSSH client code contains experimental support for resuming SSH connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys. A user that authenticates to a malicious or compromised server may reveal private data, including the private SSH key of the user.
515455f581e8b3dbf9ef54978b06f4fd0aa011a223e46d82ca02ed434678d234
FreeBSD Security Advisory - The SNMP protocol supports an authentication model called USM, which relies on a shared secret. The default permission of the bsnmpd configuration file, /etc/bsnmpd.conf, is weak and does not provide adequate protection against local unprivileged users. A local user may be able to read the shared secret, if configured and used by the system administrator.
a72b9ae60396ff46558b0ec651b04f329fe46350335df2906500a42e8c4ad50b
FreeBSD Security Advisory - A lack of proper input checks in the ICMPv6 processing in the SCTP stack can lead to either a failed kernel assertion or to a NULL pointer dereference. In either case, a kernel panic will follow. A remote, unauthenticated attacker can reliably trigger a kernel panic in a vulnerable system running IPv6. Any kernel compiled with both IPv6 and SCTP support is vulnerable. There is no requirement to have an SCTP socket open. IPv4 ICMP processing is not impacted by this vulnerability.
4bef6e3ea2f1171573414a2017dc744185b0cd4dec11a97cd0033f86aae1bbe0