This page is READ-ONLY. It is generated from the old site.
All timestamps are relative to 2013 (when this page is generated).
If you are looking for TeX support, please go to VietTUG.org

FreeBSD: three Security Advisories in a day!

great :D
Added by icy over 1 year ago

I've received the announcements today

  1. Code execution via chrooted ftpd http://security.FreeBSD.org/advisories/FreeBSD-SA-11:07.chroot.asc
  2. telnetd code execution vulnerability http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc
  3. pam_ssh improperly grants access when user account has unencrypted SSH private keys http://security.FreeBSD.org/advisories/FreeBSD-SA-11:09.pam_ssh.asc

Long time no see you, FreeBSD :)


Comments

Added by icy over 1 year ago

Two more

  1. Remote packet Denial of Service against named(8) servers http://security.FreeBSD.org/advisories/FreeBSD-SA-11:06.bind.asc
  2. pam_start() does not validate service names http://security.FreeBSD.org/advisories/FreeBSD-SA-11:10.pam.asc

Added by icy over 1 year ago

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes
aren't deceiving you: We really did just send out 5 security advisories.

The timing, to put it bluntly, sucks.  We normally aim to release advisories on
Wednesdays in order to maximize the number of system administrators who will be
at work already; and we try very hard to avoid issuing advisories any time close
to holidays for the same reason.  The start of the Christmas weekend -- in some
parts of the world it's already Saturday -- is absolutely not when we want to be
releasing security advisories.

Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd)
is a remote root vulnerability which is being actively exploited in the wild;
bugs really don't come any worse than this.  On the positive side, most people
have moved past telnet and on to SSH by now; but this is still not an issue we
could postpone until a more convenient time.

While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a
rather messy fix involving adding a new interface to libc; this has the awkward
side effect of causing the sizes of some "symbols" (aka. functions) in libc to
change, resulting in cascading changes into many binaries.  The long list of
updated files is irritating, but isn't a sign that anything in freebsd-update
went wrong.

- -- 
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk70oKgACgkQFdaIBMps37IsdACgh01CeO+zVGe3o9dn2cLvhh70
ISoAoJCeLUAbJ+0ibyfbVM4fYxpiEfo0
=vt5I
-----END PGP SIGNATURE-----