FreeBSD Security Advisory FreeBSD-SA-04:16.fetch - The fetch utility suffers from an integer overflow condition in the processing of HTTP headers that can result in a buffer overflow.
6a018e23dd8de8d84de9f7d1f8a504a855c7a82a0f3059e216c48ef84a19658a
FreeBSD Security Advisory - A local user can read files which have been updated by freebsd-update(8), even if those files have permissions which would normally not allow users to read them. In particular, on systems which have been upgraded using 'freebsd-update upgrade', local users can read freebsd-update's backed-up copy of the master password file.
ded36262fd7c099273370d8e7b7df7dcd74a6ee0b857538117b791ae99da12b6
FreeBSD Security Advisory - The run-time link-editor, rtld, links dynamic executable with their needed libraries at run-time. It also allows users to explicitly load libraries via various LD_ environmental variables.
43cd0a5c752f6ee28c98c000a73357ee02baaf6cfca10e1ff8d34ae1cd5fecd1
FreeBSD Security Advisory - The SSL version 3 and TLS protocols support session renegotiation without cryptographically tying the new session parameters to the old parameters.
83f0097f23e71e96656c550bd67180eab9bdaff2b8488afde19399d0ccd4562d
FreeBSD Security Advisory - Due to the interaction between devfs and VFS, a race condition exists where the kernel might dereference a NULL pointer.
4b21def402ce048506cd636e20e57f215a29c797ecd2817b7359d5b1e52ab3ef
FreeBSD Security Advisory - When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit. To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server.
6794c843e62bd2ba63abb24337495791f839e4e7e47cd54d93099e0868941ba7
FreeBSD Security Advisory - When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit. To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server.
63f6e9c33b817f0e2995a59692b493e8ec93d0332cc4781442f1c4b5e3d35798
FreeBSD Security Advisory - An integer overflow in computing the set of pages containing data to be copied can result in virtual-to-physical address lookups not being performed.
8655e2660ef04de220a65ec6f8631ef7f52a3e801d6816f4535bd98a398662fc
FreeBSD Security Advisory - The SIOCSIFINFO_IN6 ioctl is missing a necessary permissions check. Local users, including non-root users and users inside jails, can set some IPv6 interface properties. These include changing the link MTU and disabling interfaces entirely.
ac68c0baaefa4bfdc7df1c0fa45bed659499c7dbaf9c342aee6ff1990c40e4a0
FreeBSD Security Advisory - The ntpd(8) daemon is prone to a stack-based buffer-overflow when it is configured to use the 'autokey' security model.
ec6c782f4a0e120ad1feee4a35e1fb30428529ec48d4b15ba1b394a88c31d3bd
FreeBSD Security Advisory - Some data structures used by the database interface code are not properly initialized when allocated. Programs using the db(3) interface to create Berkeley database files may "leak" sensitive information into database files. If those files can be read by other users, this may result in the disclosure of sensitive information such as login credentials.
f19636fcc9f3672265dbfa020957a9cea9463d7bdf766613e2c355245a911789
FreeBSD Security Advisory - The function ASN1_STRING_print_ex does not properly validate the lengths of BMPString or UniversalString objects before attempting to print them. An application which attempts to print a BMPString or UniversalString which has an invalid length will crash as a result of OpenSSL accessing invalid memory locations. This could be used by an attacker to crash a remote application.
0af558312bdb0b2a378db3fb4f4e5a435365f4ea7532b84431ff7fb7a55aec6e
FreeBSD Security Advisory - In FreeBSD 7.0, support was introduced for per-process timers as defined in the POSIX realtime extensions. This allows a process to have a limited number of timers running at once, with various actions taken when each timer reaches zero. An integer which specifies which timer a process wishes to operate upon is not properly bounds-checked. An unprivileged process can overwrite an arbitrary location in kernel memory. This could be used to change the user ID of the process (in order to "become root"), to escape from a jail, or to bypass security mechanisms in other ways.
bfe3f8cd4f9f141932f321714dc7fd3f873020d7be4c70aea61d5dfc7f2b2af7
FreeBSD Security Advisory - In order to prevent environment variable based attacks, telnetd scrubs its environment; however, recent changes in FreeBSD's environment-handling code rendered telnetd's scrubbing inoperative, thereby allowing potentially harmful environment variables to be set. An attacker who can place a specially-constructed file onto a target system (either by legitimately logging into the system or by exploiting some other service on the system) can execute arbitrary code with the privileges of the user running the telnet daemon (usually root).
8fd5f35be1f357357d7faa04aaf55fefca25b625f49ea0f157d81958e7d9b0a6
FreeBSD Security Advisory - The DSA_do_verify() function from OpenSSL is used to determine if a DSA digital signature is valid. When DNSSEC is used within BIND it uses DSA_do_verify() to verify DSA signatures, but checks the function return value incorrectly.
220d4fa821366af296e126574f48d4b6710134d13644b63e90dc0e60ac9c10b8
FreeBSD Security Advisory - lukemftpd suffers from a cross site request forgery vulnerability.
f96a133098c7d695b8ed4948a168b5a4bbc1e31a29cf5e7e4ead2bbc59be475b
FreeBSD Security Advisory - The EVP_VerifyFinal() function from OpenSSL is used to determine if a digital signature is valid. The SSL layer in OpenSSL uses EVP_VerifyFinal(), which in several places checks the return value incorrectly and treats verification errors as a good signature. This is only a problem for DSA and ECDSA keys.
0fb1c7f9876c52b5a471b7b0b3b96ecb570c084c5146b7a0b0b7cd4c332e5a41
FreeBSD Security Advisory - The ftpd server splits long commands into several requests. This may result in the server executing a command which is hidden inside another very long command. This could, with a specifically crafted command, be used in a cross-site request forgery attack.
2e6c5b82c449c824228fcb5c04163a13250ea1166e252761a367a4dc98ca8ae5
FreeBSD Security Advisory - Some function pointers for netgraph and bluetooth sockets are not properly initialized. A local user can cause the FreeBSD kernel to execute arbitrary code. This could be used by an attacker directly; or it could be used to gain root privilege or to escape from a jail.
68d6c56fdb87d6522cd80e38e97f33feb669cc5e02d6b6c06001e4a3bc436269
FreeBSD Security Advisory - When the arc4random random number generator is initialized, there may be inadequate entropy to meet the needs of kernel systems which rely on arc4random; and it may take up to 5 minutes before arc4random is reseeded with secure entropy from the Yarrow random number generator.
5b358a6d007f2d56053a805066be7b6451911ecfa223bda993b2748c778af6a4
FreeBSD Security Advisory - IPv6 routers may allow "on-link" IPv6 nodes to create and update the router's neighbor cache and forwarding information. A malicious IPv6 node sharing a common router but on a different physical segment from another node may be able to spoof Neighbor Discovery messages, allowing it to update router information for the victim node.
5da0304608ae874f2a0a24b6a59e079a8cb6140245d47db24abb0b40c8913d5e
FreeBSD Security Advisory - In case of an incoming ICMPv6 'Packet Too Big Message', there is an insufficient check on the proposed new MTU for a path to the destination. When the kernel is configured to process IPv6 packets and has active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet Too Big Message' could cause the TCP stack of the kernel to panic.
8d935b0a4c11d0b8d9e04f2031c6eabb363df15b37837728e7cfbdcb0d15d3ac
FreeBSD Security Advisory - Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount(2) into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient bounds checking. If the system is configured to allow unprivileged users to mount file systems, it is possible for a local adversary to exploit this vulnerability and execute code in the context of the kernel.
8265017f0c4b0022d978e1e3604993352ecac41efc8b787596bf55e18a09b5bb
FreeBSD Security Advisory - If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed. A local attacker can by causing a General Protection Fault while the kernel is returning from an interrupt, trap or system call while manipulating stack frames and, run arbitrary code with kernel privileges.
fda35491c2c94c4696a474ad75a3cae114fe88a1cb3728114f08df8c752a8fac
FreeBSD Security Advisory - The BIND DNS implementation does not randomize the UDP source port when doing remote queries, and the query id alone does not provide adequate randomization.
fb04e361ce950a2eb37bbee1c2ca35ab538b362079ecb611780d440663993f72
FreeBSD Security Advisory - OpenSSH has a X11-forwarding privilege escalation issue. When logging in via SSH with X11-forwarding enabled, sshd(8) fails to correctly handle the case where it fails to bind to an IPv4 port but successfully binds to an IPv6 port. In this case, applications which use X11 will connect to the IPv4 port, even though it had not been bound by sshd(8) and is therefore not being securely forwarded.
e9b01dda09d2fd2b373a83e4472cf74b709679aa9d7a842873ded6635ef406d9