Hello Folks,
Just a status on upcoming advisories.
FreeBSD-SA-03:15.openssh
This is in final review and should be released today. Fixes
for this issue entered the tree on September 24. I apologize
for the delay in getting this one out.
FreeBSD-SA-03:16.filedesc
A reference counting bug was discovered that could lead to
kernel memory disclosure or a system panic. Fixes for this issue
were committed to -CURRENT, -STABLE, and the security branches
earlier today. This bug was reported to us by Joost Pol of
Pine Digital Security, and their advisory just went onto the web:
<URL: http://www.pine.nl/press/pine-cert-20030901.txt >
FreeBSD-SA-03:17.procfs
Several similar bugs involving integer arithmetic underflows
or overflows were identified, again by Joost Pol. These bugs
could also lead to kernel memory disclosure or system panic.
Fixes for this issue are in -CURRENT and -STABLE. The security
branches will be addressed during the rest of the day.
<URL: http://www.pine.nl/press/pine-cert-20030902.txt >
FreeBSD-SA-03:18.openssl
The issue reported at
<URL: http://www.openssl.org/news/secadv_20030930.txt >
affects the version of OpenSSL included with previous versions
of FreeBSD. The impact is limited to denial-of-service. Because
of the relative severity of the above issues, this openssl issue
will likely not be completely dealt with until tomorrow or even
Saturday. The official fixed version, OpenSSL 0.9.7c, was
imported into -CURRENT yesterday, and will be MFC'd to -STABLE
today, but it will be a bit longer to backport fixes for the
security branches.
Cheers,
--
Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal
nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Jacques A. Vidrine
2003-Oct-02 10:46 UTC
Workaround for procfs (was Re: HEADS UP: upcoming security advisories)
On Thu, Oct 02, 2003 at 12:08:44PM -0500, Jacques A. Vidrine wrote:> FreeBSD-SA-03:17.procfs > Several similar bugs involving integer arithmetic underflows > or overflows were identified, again by Joost Pol. These bugs > could also lead to kernel memory disclosure or system panic. > Fixes for this issue are in -CURRENT and -STABLE. The security > branches will be addressed during the rest of the day. > <URL: http://www.pine.nl/press/pine-cert-20030902.txt >Regarding this issue: A simple workaround is to unmount /proc. Execute the following command as root: umount -a -t procfs Also, remove or comment out any lines in fstab(5) that reference `procfs', so that it will not be re-mounted at next reboot. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
On Oct 02, at 12:08 PM, Jacques A. Vidrine wrote:> > Just a status on upcoming advisories. > > FreeBSD-SA-03:15.openssh > This is in final review and should be released today. Fixes > for this issue entered the tree on September 24. I apologize > for the delay in getting this one out.I see that no advisory or patch has been released yet, or has this been rolled into SA-03:18? Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/
At 09:30 05/10/2003 -0500, D J Hawkey Jr wrote:>On Oct 02, at 12:08 PM, Jacques A. Vidrine wrote: > > FreeBSD-SA-03:15.openssh > > This is in final review and should be released today. Fixes > > for this issue entered the tree on September 24. I apologize > > for the delay in getting this one out. > >I see that no advisory or patch has been released yet, or has this been >rolled into SA-03:18?SA-03:15 deals with PAM issues, so it isn't part of SA-03:18; des commited fixes to RELENG_4_6, _4_7, _4_8, _4, _5_1, and HEAD on september 24th. I assume the advisory will come out soon -- with all these recent security issues coming up at once, it seems that fixing the bugs has taken priority over writing the associated advisories (with good reason). Colin Percival