FreeBSD Security Advisory FreeBSD-SA-04:16.fetch - The fetch utility suffers from an integer overflow condition in the processing of HTTP headers that can result in a buffer overflow.
6a018e23dd8de8d84de9f7d1f8a504a855c7a82a0f3059e216c48ef84a19658aFreeBSD Security Advisory FreeBSD-SA-06:16.smbfs: smbfs does not properly sanitize paths containing a backslash character; in particular the directory name '..\' is interpreted as the parent directory by the SMB/CIFS server, but smbfs handles it in the same manner as any other directory.
06d243f685293bae40f0260e0f5a4d6049010f7d1de0bccef6ae22041257bd2fFreeBSD Security Advisory FreeBSD-SA-06:15.ypserv: There are two documented methods of restricting access to NIS maps through ypserv(8): through the use of the /var/yp/securenets file, and through the /etc/hosts.allow file. While both mechanisms are implemented in the server, a change in the build process caused the "securenets" access restrictions to be inadvertently disabled.
b939e4d3fddcf9d8f92200b7d05ca27d0a18ae5290b3350ca3d19fac28829a29FreeBSD Security Advisory FreeBSD-SA-06:14.fpu - FPU information disclosure: On affected processors, a local attacker can monitor the execution path of a process which uses floating-point operations. This may allow an attacker to steal cryptographic keys or other sensitive information.
7a90ad481bb181822f4882bcd4d2e967f8919ef69c8cce7ee8b546a06c7dd4b9FreeBSD Security Advisory FreeBSD-SA-06:10.nfs - A part of the NFS server code charged with handling incoming RPC messages via TCP had an error which, when the server received a message with a zero-length payload, would cause a NULL pointer dereference which results in a kernel panic. The kernel will only process the RPC messages if a userland nfsd daemon is running.
8712b0c54e6195379a38f208914e6b31aecb2b2ca2355a6a67d8db63219f7a5eFreeBSD Security Advisory FreeBSD-SA-06:09.openssh - Because OpenSSH and OpenPAM have conflicting designs (one is event-driven while the other is callback-driven), it is necessary for OpenSSH to fork a child process to handle calls to the PAM framework. However, if the unprivileged child terminates while PAM authentication is under way, the parent process incorrectly believes that the PAM child also terminated. The parent process then terminates, and the PAM child is left behind. Due to the way OpenSSH performs internal accounting, these orphaned PAM children are counted as pending connections by the master OpenSSH server process. Once a certain number of orphans has accumulated, the master decides that it is overloaded and stops accepting client connections.
012cb667b2bae94ec1b414c8de659b5091c2732abdfc4cd748a4a6a9557830cdFreeBSD Security Advisory FreeBSD-SA-06:08.sack - SACK (Selective Acknowledgment) is an extension to the TCP/IP protocol that allows hosts to acknowledge the receipt of some, but not all, of the packets sent, thereby reducing the cost of retransmissions. When insufficient memory is available to handle an incoming selective acknowledgment, the TCP/IP stack may enter an infinite loop.
8d3f7d980f0020012c292d7bd87a577e7beeedfba74ebfdf5862b03683811826FreeBSD Security Advisory - ipfw maintains a pointer to layer 4 header information in the event that it needs to send a TCP reset or ICMP error message to discard packets. Due to incorrect handling of IP fragments, this pointer fails to get initialized.
b38cd8ef482c561df679f578513cab445b16a6b986a0729f301d0dc0adb15098FreeBSD Security Advisory - The ispell_op function used by ee(1) while executing spell check operations employs an insecure method of temporary file generation. This method produces predictable file names based on the process ID and fails to confirm which path will be over written with the user.
aabdd726e7f1d21c64dd7f601f42432a072639283866afd5cb5d75fd085e4063FreeBSD Security Advisory FreeBSD-SA-05-20.cvsbug - A temporary file is created, used, deleted, and then re-created with the same name. This creates a window during which an attacker could replace the file with a link to another file.
42359b765b65baccde1ce2c51098dbada23fc98d9631451d3ea628c76795611bFreeBSD Security Advisory FreeBSD-SA-05:08 - In many parts of the FreeBSD kernel, names (of mount points, devices, files, etc.) are manipulated as NULL-terminated strings, but are provided to applications within fixed-length buffers.
7b6aaa70807a670d6dd9019e62eee21d12cbe814525a0fe9b97d0c2e7ddca5a4FreeBSD Security Advisory FreeBSD-SA-05:07 - The i386_get_ldt(2) system call allows a process to request that a portion of its Local Descriptor Table be copied from the kernel into userland. The i386_get_ldt(2) syscall performs insufficient validation of its input arguments. In particular, negative or very large values may allow inappropriate data to be copied from the kernel.
04fa0fee6b63c8ba41c37a7811a6462ab62955205b703bf973f33ee92e6da579FreeBSD Security Advisory FreeBSD-SA-05:06 - The default permissions on the /dev/iir device node allow unprivileged local users to open the device and execute ioctl calls. Unprivileged local users can send commands to the hardware supported by the iir(4) driver, allowing destruction of data and possible disclosure of data.
9ebaba97534f52d79c1400d144ce3197429e42a0672b056673e3918480351f3aFreeBSD Security Advisory FreeBSD-SA-05:19.ipsec - IPsec is a security protocol for the Internet Protocol networking layer. It provides a combination of encryption and authentication of system, using several possible cryptography algorithms. A programming error in the implementation of the AES-XCBC-MAC algorithm for authentication resulted in a constant key being used instead of the key specified by the system administrator.
9d75e7d220ed1f61f09ae93e44a8e0ba4c60a6a4d11ff8f03cc972a6df79b6eaFreeBSD Security Advisory FreeBSD-SA-05:18.zlib - A carefully constructed compressed data stream can result in zlib overwriting some data structures. This may cause applications to halt, resulting in a denial of service; or it may result in an attacker gaining elevated privileges.
b2d40ae5f59903bd6c1b0e96942c8b40d5b7c0070b211d4957535d4b74ee339cFreeBSD Security Advisory FreeBSD-SA-05:17.devfs - Due to insufficient parameter checking of the node type during device creation, any user can expose hidden device nodes on devfs mounted file systems within their jail. Device nodes will be created in the jail with their normal default access permissions.
e1c7cadcfc9a5b70208783e95f2c0e0102c8c0c89d38162917beeb93216b369cFreeBSD Security Advisory FreeBSD-SA-05:09 - When running on processors supporting Hyper-Threading Technology, it is possible for a malicious thread to monitor the execution of another thread.
5e666245ff6f81ff72f602f77622595ea80e3cf57ceb0ef27419e4e10cfa5986FreeBSD Security Advisory FreeBSD-SA-05:15 - Two problems have been discovered in the FreeBSD TCP stack. First, when a TCP packets containing a timestamp is received, inadequate checking of sequence numbers is performed, allowing an attacker to artificially increase the internal "recent" timestamp for a connection. Second, a TCP packet with the SYN flag set is accepted for established connections, allowing an attacker to overwrite certain TCP options.
30663ff4e4d6e6643116559b25a849f751e84dc20b68d90c0261a28842688ff7FreeBSD Security Advisory FreeBSD-SA-05:14 - Two problems have been discovered relating to the extraction of bzip2-compressed files. First, a carefully constructed invalid bzip2 archive can cause bzip2 to enter an infinite loop. Second, when creating a new file, bzip2 closes the file before setting its permissions.
81c864494c3fb7c1777f84c50d2ea5e1bb96b674001417c3e3f9e573fb1005a0FreeBSD Security Advisory FreeBSD-SA-05:13 - The ipfw tables lookup code caches the result of the last query. The kernel may process multiple packets concurrently, performing several concurrent table lookups. Due to an insufficient locking, a cached result can become corrupted that could cause some addresses to be incorrectly matched against a lookup table.
6b7aa2a12074c968569303a922ef2f40cc26ef0aef04894d3fd3b9ebce0d5e08FreeBSD Security Advisory FreeBSD-SA-05:12 - A DNSSEC-related validator function in BIND 9.3.0 contains an inappropriate internal consistency test. When this test is triggered, named(8) will exit.
8fccf0614b4cae1a8f3081cb6f85fef6c558ed5fcde321cc9167d2225a2c0f87FreeBSD Security Advisory FreeBSD-SA-05:05 - Multiple programming errors were found in CVS. In one case, variable length strings are copied into a fixed length buffer without adequate checks being made; other errors include NULL pointer dereferences, possible use of uninitialized variables, and memory leaks.
0955613e37e271809f7afef6711a84a64f2032dbe02f04eb08d63144b31158faFreeBSD Security Advisory FreeBSD-SA-05:03 - The AMD64 architecture has two mechanisms for permitting processes to access hardware: Kernel code can access hardware directly by reason of its elevated privilege level, while user code can access a subset of hardware determined by a bitmap. The bitmap which determines which hardware can be accessed by unprivileged processes was not initialized properly. Unprivileged users on amd64 systems can gain direct access to some hardware, allowing for denial of service, disclosure of sensitive information, or possible privilege escalation.
70032104738efc10dec36f903360b79be790b01eb2ead623c710d5e8b076169fFreeBSD Security Advisory FreeBSD-SA-05:02 - The sendfile(2) system call allows a server application (such as an HTTP or FTP server) to transmit the contents of a file over a network connection without first copying it to application memory. High performance servers such as Apache and ftpd use sendfile. If the file being transmitted is truncated after the transfer has started but before it completes, sendfile(2) will transfer the contents of more or less random portions of kernel memory in lieu of the missing part of the file.
f23b5fbf03b2582e71dc290dd2da453c3f35c25347c573b97a39ab6a5ff37a46FreeBSD Security Advisory FreeBSD-SA-04:17.procfs - The implementation of the /proc/curproc/cmdline pseudofile in the procfs(5) file system on FreeBSD 4.x and 5.x, and of the /proc/self/cmdline pseudofile in the linprocfs(5) file system on FreeBSD 5.x reads a process' argument vector from the process address space. During this operation, a pointer was dereferenced directly without the necessary validation steps being performed.
9172f91c6b027b6f7c743ba70a7c8f2026e861b105f1b6f5125ce2249481c20bFreeBSD Security Advisory FreeBSD-SA-04:15.syscons - The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of its input arguments. In particular, negative coordinates or large coordinates may cause unexpected behavior.
088af9d9dc40b2a466a18dea6a434c2f0859fe37e3f6919135f3ac37f610c117
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed