This page displays vulnerability information about FreeBSD Ports.
The VUXML data was last processed by FreshPorts on 2024-04-18 11:12:36 UTC
List all Vulnerabilities, by package
List all Vulnerabilities, by date
k68These are the vulnerabilities relating to the commit you have selected:
VuXML ID | Description |
---|---|
012809ce-83f3-11ea-92ab-00163e433440 | OpenSSL remote denial of service vulnerabilityProblem Description:Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognized signature algorithm is received from the peer. Impact:A malicious peer could exploit the NULL pointer dereference crash, causing a denial of service attack. Discovery 2020-04-21 Entry 2020-04-21 Modified 2020-04-22 FreeBSD ge 12.1 lt 12.1_4 openssl ge 1.1.1,1 lt 1.1.1g,1 CVE-2020-1967 SA-20:11.openssl https://www.openssl.org/news/secadv/20200421.txt |
01d729ca-1143-11e6-b55e-b499baebfeaf | OpenSSL -- multiple vulnerabilities OpenSSL reports:
Discovery 2016-05-03 Entry 2016-05-03 Modified 2016-08-09 openssl < 1.0.2_11 linux-c6-openssl < 1.0.1e_8 libressl ge 2.3.0 lt 2.3.4 < 2.2.7 libressl-devel < 2.3.4 FreeBSD ge 10.3 lt 10.3_2 ge 10.2 lt 10.2_16 ge 10.1 lt 10.1_33 ge 9.3 lt 9.3_41 https://www.openssl.org/news/secadv/20160503.txt https://marc.info/?l=openbsd-tech&m=146228598730414 CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 CVE-2016-2176 SA-16:17.openssl |
022a4c77-2da4-11e1-b356-00215c6a37bb | proftpd -- arbitrary code execution vulnerability with chroot The FreeBSD security advisory FreeBSD-SA-11:07.chroot reports:
Proftpd shares the same problem of a similar nature. Discovery 2011-11-30 Entry 2011-12-23 Modified 2012-01-29 FreeBSD ge 7.3 lt 7.3_9 ge 7.4 lt 7.4_5 ge 8.1 lt 8.1_6 ge 8.2 lt 8.2_5 proftpd proftpd-mysql < 1.3.3g_1 proftpd-devel < 1.3.3.r4_3,1 SA-11:07.chroot http://seclists.org/fulldisclosure/2011/Nov/452 |
0282269d-bbee-11e6-b1cf-14dae9d210b8 | FreeBSD -- link_ntoa(3) buffer overflowProblem Description:A specially crafted argument can trigger a static buffer overflow in the library, with possibility to rewrite following static buffers that belong to other library functions. Impact:Due to very limited use of the function in the existing applications, and limited length of the overflow, exploitation of the vulnerability does not seem feasible. None of the utilities and daemons in the base system are known to be vulnerable. However, careful review of third party software that may use the function was not performed. Discovery 2016-12-06 Entry 2016-12-06 Modified 2016-12-08 FreeBSD ge 11.0 lt 11.0_5 ge 10.3 lt 10.3_14 ge 10.2 lt 10.2_27 ge 10.1 lt 10.1_44 ge 9.3 lt 9.3_52 CVE-2016-6559 SA-16:37.libc |
03175e62-5494-11e4-9cc1-bc5ff4fb5e7b | OpenSSL -- multiple vulnerabilities The OpenSSL Project reports:
Discovery 2014-10-15 Entry 2014-10-15 Modified 2016-08-09 openssl ge 1.0.1 lt 1.0.1_16 mingw32-openssl ge 1.0.1 lt 1.0.1j linux-c6-openssl < 1.0.1e_1 FreeBSD ge 8.4 lt 8.4_17 ge 9.1 lt 9.1_20 ge 9.2 lt 9.2_13 ge 9.3 lt 9.3_3 ge 10.0 lt 10.0_10 SA-14:23.openssl CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 https://www.openssl.org/news/secadv_20141015.txt |
077c2dca-8f9a-11db-ab33-000e0c2e438a | openssl -- Incorrect PKCS#1 v1.5 padding validation in crypto(3)Problem DescriptionWhen verifying a PKCS#1 v1.5 signature, OpenSSL ignores any bytes which follow the cryptographic hash being signed. In a valid signature there will be no such bytes. ImpactOpenSSL will incorrectly report some invalid signatures as valid. When an RSA public exponent of 3 is used, or more generally when a small public exponent is used with a relatively large modulus (e.g., a public exponent of 17 with a 4096-bit modulus), an attacker can construct a signature which OpenSSL will accept as a valid PKCS#1 v1.5 signature. WorkaroundNo workaround is available. Discovery 2006-09-06 Entry 2006-12-19 Modified 2016-08-09 FreeBSD ge 6.1 lt 6.1_6 ge 6.0 lt 6.0_11 ge 5.5 lt 5.5_4 ge 5.4 lt 5.4_18 ge 5.3 lt 5.3_33 < 4.11_21 openssl gt 0.9.8 lt 0.9.8c_9 < 0.9.7k_0 CVE-2006-4339 SA-06:19.openssl |
0792e7a7-8e37-11d8-90d1-0020ed76ef5a | CVS path validation errors Two programming errors were discovered in which path names handled by CVS were not properly validated. In one case, the CVS client accepts absolute path names from the server when determining which files to update. In another case, the CVS server accepts relative path names from the client when determining which files to transmit, including those containing references to parent directories (`../'). These programming errors generally only have a security impact when dealing with remote CVS repositories. A malicious CVS server may cause a CVS client to overwrite arbitrary files on the client's system. A CVS client may request RCS files from a remote system other than those in the repository specified by $CVSROOT. These RCS files need not be part of any CVS repository themselves. Discovery 2004-04-14 Entry 2004-04-14 Modified 2004-05-05 cvs+ipv6 le 1.11.5_1 FreeBSD ge 5.2 lt 5.2.1_5 ge 4.9 lt 4.9_5 ge 4.8 lt 4.8_18 CVE-2004-0180 CVE-2004-0405 http://ccvs.cvshome.org/servlets/NewsItemView?newsID=102 SA-04:07.cvs |
08ac7b8b-bb30-11da-b2fb-000e0c2e438a | sendmail -- race condition vulnerabilityProblem DescriptionA race condition has been reported to exist in the handling by sendmail of asynchronous signals. ImpactA remote attacker may be able to execute arbitrary code with the privileges of the user running sendmail, typically root. WorkaroundThere is no known workaround other than disabling sendmail. Discovery 2006-03-22 Entry 2006-03-24 Modified 2006-06-09 sendmail gt 8.13 lt 8.13.6 FreeBSD ge 6.0 lt 6.0_6 ge 5.4 lt 5.4_13 ge 5.3 lt 5.3_28 ge 4.11 lt 4.11_16 ge 4.10 lt 4.10_22 CVE-2006-0058 SA-06:13.sendmail |
0ac1aace-f7b9-11da-9156-000e0c2e438a | ypserv -- Inoperative access controls in ypservProblem DescriptionThere are two documented methods of restricting access to NIS maps through ypserv(8): through the use of the /var/yp/securenets file, and through the /etc/hosts.allow file. While both mechanisms are implemented in the server, a change in the build process caused the "securenets" access restrictions to be inadvertantly disabled. Impactypserv(8) will not load or process any of the networks or hosts specified in the /var/yp/securenets file, rendering those access controls ineffective. WorkaroundOne possible workaround is to use /etc/hosts.allow for access control, as shown by examples in that file. Another workaround is to use a firewall (e.g., ipfw(4), ipf(4), or pf(4)) to limit access to RPC functions from untrusted systems or networks, but due to the complexities of RPC, it might be difficult to create a set of firewall rules which accomplish this without blocking all access to the machine in question. Discovery 2006-05-31 Entry 2006-06-09 FreeBSD ge 5.3 lt 5.3_30 ge 5.4 lt 5.4_15 ge 5.5 lt 5.5_1 ge 6.0 lt 6.0_8 ge 6.1 lt 6.1_1 CVE-2006-2655 SA-06:15.ypserv |
0b65f297-600a-11e6-a6c3-14dae9d210b8 | FreeBSD -- Insecure default GELI keyfile permissionsProblem Description:The default permission set by bsdinstall(8) installer when configuring full disk encrypted ZFS is too open. Impact:A local attacker may be able to get a copy of the geli(8) provider's keyfile which is located at a fixed location. Discovery 2015-04-07 Entry 2016-08-11 FreeBSD ge 10.1 lt 10.1_9 CVE-2015-1415 SA-15:08.bsdinstall |
0b8d01a4-a0d2-11e6-9ca2-d050996490d0 | BIND -- Remote Denial of Service vulnerability ISC reports:
Discovery 2016-11-01 Entry 2016-11-02 bind99 < 9.9.9P4 bind910 < 9.10.4P4 bind911 < 9.11.0P1 bind9-devel le 9.12.0.a.2016.10.21 FreeBSD ge 9.3 lt 9.3_50 CVE-2016-8864 SA-16:34.bind https://kb.isc.org/article/AA-01434/ |
0b8d7194-ca88-11e3-9d8d-c80aa9043978 | OpenSSL -- Remote Data Injection / DoS Applications that use SSL_MODE_RELEASE_BUFFERS, such as nginx, are prone to a race condition which may allow a remote attacker to inject random data into other connections. Discovery 2010-02-09 Entry 2014-04-23 Modified 2016-08-09 openssl ge 1.0.1 lt 1.0.1_11 mingw32-openssl ge 1.0.1 le 1.0.1g FreeBSD ge 10.0 lt 10.0_2 https://rt.openssl.org/Ticket/Display.html?id=2167 http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse SA-14:09.openssl CVE-2010-5298 |
0c6759dd-600a-11e6-a6c3-14dae9d210b8 | FreeBSD -- shell injection vulnerability in patch(1)Problem Description:Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands. Impact:This issue could be exploited to execute arbitrary commands as the user invoking patch(1) against a specially crafted patch file, which could be leveraged to obtain elevated privileges. Discovery 2015-07-28 Entry 2016-08-11 FreeBSD ge 10.1 lt 10.1_16 CVE-2015-1416 SA-15:14.bsdpatch |
0d090952-600a-11e6-a6c3-14dae9d210b8 | FreeBSD -- shell injection vulnerability in patch(1)Problem Description:Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to pass certain ed(1) scripts to the ed(1) editor, which would run commands. Impact:This issue could be exploited to execute arbitrary commands as the user invoking patch(1) against a specially crafted patch file, which could be leveraged to obtain elevated privileges. Discovery 2015-08-05 Entry 2016-08-11 FreeBSD ge 10.1 lt 10.1_17 CVE-2015-1418 SA-15:18.bsdpatch |
0d584493-600a-11e6-a6c3-14dae9d210b8 | FreeBSD -- routed(8) remote denial of service vulnerabilityProblem Description:The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network. Impact:Upon receipt of a query from a source which is not on a directly connected network, routed(8) will trigger an assertion and terminate. The affected system's routing table will no longer be updated. If the affected system is a router, its routes will eventually expire from other routers' routing tables, and its networks will no longer be reachable unless they are also connected to another router. Discovery 2015-08-05 Entry 2016-08-11 FreeBSD ge 10.1 lt 10.1_17 ge 9.3 lt 9.3_22 CVE-2015-5674 SA-15:19.routed |
0da8a68e-600a-11e6-a6c3-14dae9d210b8 | FreeBSD -- Multiple integer overflows in expat (libbsdxml) XML parserProblem Description:Multiple integer overflows have been discovered in the XML_GetBuffer() function in the expat library. Impact:The integer overflows may be exploited by using specifically crafted XML data and lead to infinite loop, or a heap buffer overflow, which results in a Denial of Service condition, or enables remote attackers to execute arbitrary code. Discovery 2015-08-18 Entry 2016-08-11 FreeBSD ge 10.1 lt 10.1_18 ge 10.2 lt 10.2_1 ge 9.3 lt 9.3_23 CVE-2015-1283 SA-15:20.expat |
0dc91089-ca41-11df-aade-0050568f000c | FreeBSD -- Unvalidated input in nfsclientProblem Description:The NFS client subsystem fails to correctly validate the length of a parameter provided by the user when a filesystem is mounted. Discovery 2010-05-27 Entry 2010-10-24 Modified 2016-08-09 FreeBSD ge 7.2 lt 7.2_8 ge 7.3 lt 7.3_1 ge 8.0 lt 8.0_3 SA-10:06.nfsclient |
0e5d6969-600a-11e6-a6c3-14dae9d210b8 | FreeBSD -- rpcbind(8) remote denial of service [REVISED]Problem Description:In rpcbind(8), netbuf structures are copied directly, which would result in two netbuf structures that reference to one shared address buffer. When one of the two netbuf structures is freed, access to the other netbuf structure would result in an undefined result that may crash the rpcbind(8) daemon. Impact:A remote attacker who can send specifically crafted packets to the rpcbind(8) daemon can cause it to crash, resulting in a denial of service condition. Discovery 2015-09-29 Entry 2016-08-11 FreeBSD ge 10.2 lt 10.2_5 ge 10.1 lt 10.1_22 ge 9.3 lt 9.3_28 CVE-2015-7236 SA-15:24.rpcbind |
0f020b7b-e033-11e1-90a2-000c299b62e1 | FreeBSD -- named(8) DNSSEC validation Denial of Service Problem description:
Discovery 2012-07-24 Entry 2012-08-07 FreeBSD ge 7.4 lt 7.4_10 ge 8.1 lt 8.1_13 ge 8.2 lt 8.2_10 ge 8.3 lt 8.3_4 ge 9.0 lt 9.0_4 SA-12:05.bind CVE-2012-3817 |
0f37d765-c5d4-11db-9f82-000e0c2e438a | OpenSSL -- Multiple problems in crypto(3)Problem Description:Several problems have been found in OpenSSL:
In addition, many applications using OpenSSL do not perform any validation of the lengths of public keys being used. Impact:Servers which parse ASN1 data from untrusted sources may be vulnerable to a denial of service attack. An attacker accessing a server which uses SSL version 2 may be able to execute arbitrary code with the privileges of that server. A malicious SSL server can cause clients connecting using SSL version 2 to crash. Applications which perform public key operations using untrusted keys may be vulnerable to a denial of service attack. Workaround:No workaround is available, but not all of the vulnerabilities mentioned affect all applications. Discovery 2006-09-28 Entry 2007-02-26 Modified 2016-08-09 openssl < 0.9.7l_0 ge 0.9.8 lt 0.9.8d_0 FreeBSD ge 6.1 lt 6.1_9 ge 6.0 lt 6.0_14 ge 5.5 lt 5.5_7 ge 5.4 lt 5.4_21 ge 5.3 lt 5.3_36 ge 4.11 lt 4.11_24 CVE-2006-2937 CVE-2006-2938 CVE-2006-2940 CVE-2006-3738 CVE-2006-4343 SA-06:23.openssl |
0fcd3af0-a0fe-11e6-b1cf-14dae9d210b8 | FreeBSD -- OpenSSL Remote DoS vulnerabilityProblem Description:Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages. Impact:A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack. Discovery 2016-11-02 Entry 2016-11-02 Modified 2017-02-22 FreeBSD ge 10.3 lt 10.3_12 ge 10.2 lt 10.2_25 ge 10.1 lt 10.1_42 ge 9.3 lt 9.3_50 openssl < 1.0.2i,1 openssl-devel < 1.1.0a linux-c6-openssl < 1.0.1e_13 linux-c7-openssl-libs < 1.0.1e_3 CVE-2016-8610 SA-16:35.openssl http://seclists.org/oss-sec/2016/q4/224 |
107c7a76-beaa-11eb-b87a-901b0ef719ab | FreeBSD -- Missing message validation in libradius(3)Problem Description:libradius did not perform sufficient validation of received messages. rad_get_attr(3) did not verify that the attribute length is valid before subtracting the length of the Type and Length fields. As a result, it could return success while also providing a bogus length of SIZE_T_MAX - 2 for the Value field. When processing attributes to find an optional authenticator, is_valid_response() failed to verify that each attribute length is non-zero and could thus enter an infinite loop. Impact:A server may use libradius(3) to process messages from RADIUS clients. In this case, a malicious client could trigger a denial-of-service in the server. A client using libradius(3) to process messages from a server is susceptible to the same problem. The impact of the rad_get_attr(3) bug depends on how the returned length is validated and used by the consumer. It is possible that libradius(3) applications will crash or enter an infinite loop when calling rad_get_attr(3) on untrusted RADIUS messages. Discovery 2021-05-27 Entry 2021-05-27 FreeBSD ge 13.0 lt 13.0_1 ge 12.2 lt 12.2_7 ge 11.4 lt 11.4_10 CVE-2021-29629 SA-21:12.libradius |
10d73529-7f4b-11e4-af66-00215af774f0 | unbound -- can be tricked into following an endless series of delegations, this consumes a lot of resources Unbound developer reports:
Discovery 2014-12-08 Entry 2014-12-09 Modified 2016-08-09 unbound < 1.5.1 FreeBSD ge 10.0 lt 10.0_14 ge 10.1 lt 10.1_2 http://unbound.net/downloads/CVE-2014-8602.txt SA-14:30.unbound CVE-2014-8602 |
11a84092-8f9f-11db-ab33-000e0c2e438a | gzip -- multiple vulnerabilitiesProblem DescriptionMultiple programming errors have been found in gzip which can be triggered when gzip is decompressing files. These errors include insufficient bounds checks in buffer use, a NULL pointer dereference, and a potential infinite loop. ImpactThe insufficient bounds checks in buffer use can cause gzip to crash, and may permit the execution of arbitrary code. The NULL pointer deference can cause gzip to crash. The infinite loop can cause a Denial-of-Service situation where gzip uses all available CPU time. WorkaroundNo workaround is available. Discovery 2006-09-19 Entry 2006-12-19 Modified 2016-08-09 FreeBSD ge 6.1 lt 6.1_7 ge 6.0 lt 6.0_12 ge 5.5 lt 5.5_5 ge 5.4 lt 5.4_19 ge 5.3 lt 5.3_34 < 4.11_22 gzip < 1.3.12 CVE-2006-4334 CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 CVE-2006-4338 SA-06:21.gzip |
13031d98-9bd1-11e2-a7be-8c705af55518 | FreeBSD -- BIND remote denial of service
Discovery 2013-04-02 Entry 2013-04-02 Modified 2016-08-09 FreeBSD ge 9.0 lt 9.0_7 ge 9.1 lt 9.1_2 CVE-2013-2266 SA-13:04.bind https://kb.isc.org/article/AA-00871 |
180e9a38-060f-4c16-a6b7-49f3505ff22a | kernel -- information disclosure when using HTTProblem description and impactWhen running on processors supporting Hyper-Threading Technology, it is possible for a malicious thread to monitor the execution of another thread. Information may be disclosed to local users, allowing in many cases for privilege escalation. For example, on a multi-user system, it may be possible to steal cryptographic keys used in applications such as OpenSSH or SSL-enabled web servers. NOTE: Similar problems may exist in other simultaneous multithreading implementations, or even some systems in the absence of simultaneous multithreading. However, current research has only demonstrated this flaw in Hyper-Threading Technology, where shared memory caches are used. WorkaroundSystems not using processors with Hyper-Threading Technology support are not affected by this issue. On systems which are affected, the security flaw can be eliminated by setting the "machdep.hlt_logical_cpus" tunable: # echo "machdep.hlt_logical_cpus=1" >> /boot/loader.conf The system must be rebooted in order for tunables to take effect. Use of this workaround is not recommended on "dual-core" systems, as this workaround will also disable one of the processor cores. Discovery 2005-05-13 Entry 2005-05-13 FreeBSD ge 5.4 lt 5.4_1 ge 5.0 lt 5.3_15 ge 4.11 lt 4.11_9 < 4.10_14 CVE-2005-0109 SA-05:09.htt http://www.daemonology.net/hyperthreading-considered-harmful/ |
185ff22e-c066-11e1-b5e0-000c299b62e1 | FreeBSD -- Incorrect crypt() hashing Problem description:
Discovery 2012-05-30 Entry 2012-06-27 FreeBSD ge 7.4 lt 7.4_8 ge 8.1 lt 8.1_10 ge 8.2 lt 8.2_8 ge 8.3 lt 8.3_2 ge 9.0 lt 9.0_2 SA-12:02.crypt CVE-2012-2143 |
18dc48fe-ca42-11df-aade-0050568f000c | FreeBSD -- Integer overflow in bzip2 decompressionProblem Description:When decompressing data, the run-length encoded values are not adequately sanity-checked, allowing for an integer overflow. Discovery 2010-09-20 Entry 2010-10-24 Modified 2016-08-09 FreeBSD ge 6.4 lt 6.4_11 ge 7.1 lt 7.1_14 ge 7.3 lt 7.3_3 ge 8.0 lt 8.0_5 ge 8.1 lt 8.1_1 SA-10:08.bzip2 |
1959e847-d4f0-11e3-84b0-0018fe623f2b | OpenSSL -- NULL pointer dereference / DoS OpenBSD and David Ramos reports:
Discovery 2014-05-02 Entry 2014-05-03 Modified 2016-08-09 openssl ge 1.0.1 lt 1.0.1_12 FreeBSD ge 10.0 lt 10.0_3 http://www.openwall.com/lists/oss-security/2014/05/02/5 https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321 SA-14:10.openssl CVE-2014-0198 |
197f444f-e8ef-11d9-b875-0001020eed82 | bzip2 -- denial of service and permission race vulnerabilitiesProblem DescriptionTwo problems have been discovered relating to the extraction of bzip2-compressed files. First, a carefully constructed invalid bzip2 archive can cause bzip2 to enter an infinite loop. Second, when creating a new file, bzip2 closes the file before setting its permissions. ImpactThe first problem can cause bzip2 to extract a bzip2 archive to an infinitely large file. If bzip2 is used in automated processing of untrusted files this could be exploited by an attacker to create an denial-of-service situation by exhausting disk space or by consuming all available cpu time. The second problem can allow a local attacker to change the permissions of local files owned by the user executing bzip2 providing that they have write access to the directory in which the file is being extracted. WorkaroundDo not uncompress bzip2 archives from untrusted sources and do not uncompress files in directories where untrusted users have write access. Discovery 2005-03-30 Entry 2005-06-29 Modified 2016-08-09 FreeBSD ge 5.4 lt 5.4_3 ge 5.0 lt 5.3_17 ge 4.11 lt 4.11_11 < 4.10_16 bzip2 < 1.0.3_1 CVE-2005-0953 CVE-2005-1260 SA-05:14.bzip2 http://scary.beasts.org/security/CESA-2005-002.txt |
1a71a972-8ee7-11e6-a590-14dae9d210b8 | FreeBSD -- Multiple libarchive vulnerabilitiesProblem Description:Flaws in libarchive's handling of symlinks and hard links allow overwriting files outside the extraction directory, or permission changes to a directory outside the extraction directory. Impact:An attacker who can control freebsd-update's or portsnap's input to tar(1) can change file content or permissions on files outside of the update tool's working sandbox. Discovery 2016-10-05 Entry 2016-10-10 FreeBSD ge 11.0 lt 11.0_1 ge 10.3 lt 10.3_10 ge 10.2 lt 10.2_23 ge 10.1 lt 10.1_40 SA-16:31.libarchive |
1d56cfc5-3970-11eb-929d-d4c9ef517024 | OpenSSL -- NULL pointer de-reference The OpenSSL project reports:
Discovery 2020-12-08 Entry 2020-12-08 Modified 2020-12-15 openssl ge 1.0.2,1 lt 1.1.1i,1 FreeBSD ge 12.2 lt 12.2_2 ge 12.1 lt 12.1_12 ge 11.4 lt 11.4_6 https://www.openssl.org/news/secadv/20201208.txt CVE-2020-1971 SA-20:33.openssl |
1db1ed59-af07-11d8-acb9-000d610a3b12 | buffer cache invalidation implementation issues Programming errors in the implementation of the msync(2) system call involving the MS_INVALIDATE operation lead to cache consistency problems between the virtual memory system and on-disk contents. In some situations, a user with read access to a file may be able to prevent changes to that file from being committed to disk. Discovery 2004-04-24 Entry 2004-05-26 FreeBSD ge 5.0 lt 5.2_8 ge 4.9 lt 4.9_9 ge 4.0 lt 4.8_22 CVE-2004-0435 SA-04:11.msync |
1e1421f0-8d6f-11e0-89b4-001ec9578670 | BIND -- Large RRSIG RRsets and Negative Caching DoS ISC reports:
Discovery 2011-05-26 Entry 2011-06-04 Modified 2016-08-09 bind9-sdb-ldap bind9-sdb-postgresql < 9.4.3.4 bind96 < 9.6.3.1.ESV.R4.1 bind97 < 9.7.3.1 bind98 < 9.8.0.2 FreeBSD ge 7.3 lt 7.3_6 ge 7.4 lt 7.4_2 ge 8.1 lt 8.1_4 ge 8.2 lt 8.2_2 CVE-2011-1910 SA-11:02.bind http://www.isc.org/software/bind/advisories/cve-2011-1910 |
1f8de723-dab3-11e7-b5af-a4badb2f4699 | FreeBSD -- WPA2 protocol vulnerabilityProblem Description:A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. Impact:Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used. Discovery 2017-10-16 Entry 2017-12-06 FreeBSD ge 11.1 lt 11.1_2 ge 11.0 lt 11.0_13 ge 10.4 lt 10.4_1 ge 10.3 lt 10.3_22 CVE-2017-1307 CVE-2017-1308 SA-17:07.wpa |
1fa4c9f1-cfca-11da-a672-000e0c2e438a | FreeBSD -- FPU information disclosureProblem DescriptionOn "7th generation" and "8th generation" processors manufactured by AMD, including the AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, and Sempron, the fxsave and fxrstor instructions do not save and restore the FOP, FIP, and FDP registers unless the exception summary bit (ES) in the x87 status word is set to 1, indicating that an unmasked x87 exception has occurred. This behaviour is consistent with documentation provided by AMD, but is different from processors from other vendors, which save and restore the FOP, FIP, and FDP registers regardless of the value of the ES bit. As a result of this discrepancy remaining unnoticed until now, the FreeBSD kernel does not restore the contents of the FOP, FIP, and FDP registers between context switches. ImpactOn affected processors, a local attacker can monitor the execution path of a process which uses floating-point operations. This may allow an attacker to steal cryptographic keys or other sensitive information. WorkaroundNo workaround is available, but systems which do not use AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, or Sempron processors are not vulnerable. Discovery 2006-04-19 Entry 2006-04-19 Modified 2016-08-09 FreeBSD ge 6.0 lt 6.0_7 ge 5.4 lt 5.4_14 ge 5.3 lt 5.3_29 ge 5 lt 5.3 ge 4.11 lt 4.11_17 ge 4.10 lt 4.10_23 < 4.10 CVE-2006-1056 SA-06:14.fpu |
22b41bc5-4279-11ea-b184-f8b156ac3ff9 | FreeBSD -- libfetch buffer overflowProblem Description:A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch(3) buffers. Impact:An attacker in control of the URL to be fetched (possibly via HTTP redirect) may cause a heap buffer overflow, resulting in program misbehavior or malicious code execution. Discovery 2020-01-28 Entry 2020-01-29 FreeBSD ge 12.1 lt 12.1_2 ge 12.0 lt 12.0_13 ge 11.3 lt 11.3_6 CVE-2020-7450 SA-20:01.libfetch |
268a4289-fc84-11e8-be12-a4badb2f4699 | FreeBSD -- Multiple vulnerabilities in NFS server codeProblem Description:Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet. Impact:A remote attacker could cause the NFS server to crash, resulting in a denial of service, or possibly execute arbitrary code on the server. Discovery 2018-11-27 Entry 2018-12-10 FreeBSD ge 11.2 lt 11.2_5 CVE-2018-1715 SA-18:13.nfs |
275b845e-f56c-11db-8163-000e0c2e438a | FreeBSD -- IPv6 Routing Header 0 is dangerousProblem DescriptionThere is no mechanism for preventing IPv6 routing headers from being used to route packets over the same link(s) many times. ImpactAn attacker can "amplify" a denial of service attack against a link between two vulnerable hosts; that is, by sending a small volume of traffic the attacker can consume a much larger amount of bandwidth between the two vulnerable hosts. An attacker can use vulnerable hosts to "concentrate" a denial of service attack against a victim host or network; that is, a set of packets sent over a period of 30 seconds or more could be constructed such that they all arrive at the victim within a period of 1 second or less over a period of 30 seconds or more could be constructed such that they all arrive at the victim within a period of 1 second or less. Other attacks may also be possible. WorkaroundNo workaround is available. Discovery 2007-04-26 Entry 2007-04-28 Modified 2016-08-09 FreeBSD ge 6.2 lt 6.2_4 ge 6.1 lt 6.1_16 ge 5.5 lt 5.5_12 CVE-2007-2242 SA-07:03.ipv6 |
2920c449-4850-11e5-825f-c80aa9043978 | OpenSSH -- PAM vulnerabilities
Discovery 2015-08-11 Entry 2015-08-21 Modified 2016-08-09 openssh-portable < 7.0.p1,1 FreeBSD ge 10.2 lt 10.2_2 ge 10.1 lt 10.1_19 ge 9.3 lt 9.3_24 http://www.openssh.com/txt/release-7.0 CVE-2015-6563 CVE-2015-6564 CVE-2015-6565 SA-15:22.openssh |
2ae114de-c064-11e1-b5e0-000c299b62e1 | FreeBSD -- OpenSSL multiple vulnerabilities Problem description:
Discovery 2012-05-03 Entry 2012-06-27 FreeBSD ge 7.4 lt 7.4_8 ge 8.1 lt 8.1_10 ge 8.2 lt 8.2_8 ge 8.3 lt 8.3_2 ge 9.0 lt 9.0_2 SA-12:01.openssl CVE-2011-4576 CVE-2011-4619 CVE-2011-4109 CVE-2012-0884 CVE-2012-2110 |
2b6e47b1-0598-11da-86bc-000e0c2e438a | ipsec -- Incorrect key usage in AES-XCBC-MACProblem descriptionA programming error in the implementation of the AES-XCBC-MAC algorithm for authentication resulted in a constant key being used instead of the key specified by the system administrator. ImpactIf the AES-XCBC-MAC algorithm is used for authentication in the absence of any encryption, then an attacker may be able to forge packets which appear to originate from a different system and thereby succeed in establishing an IPsec session. If access to sensitive information or systems is controlled based on the identity of the source system, this may result in information disclosure or privilege escalation. Discovery 2005-07-27 Entry 2005-08-05 FreeBSD ge 5.4 lt 5.4_6 ge 5.* lt 5.3_20 CVE-2005-2359 SA-05:19.ipsec |
2c6acefd-8194-11d8-9645-0020ed76ef5a | setsockopt(2) IPv6 sockets input validation error From the FreeBSD Security Advisory:
Discovery 2004-03-29 Entry 2004-03-29 Modified 2004-05-05 FreeBSD ge 5.2 lt 5.2.1_4 CVE-2004-0370 SA-04:06.ipv6 |
2c948527-d823-11e6-9171-14dae9d210b8 | FreeBSD -- OpenSSH multiple vulnerabilitiesProblem Description:The ssh-agent(1) agent supports loading a PKCS#11 module from outside a trusted whitelist. An attacker can request loading of a PKCS#11 module across forwarded agent-socket. [CVE-2016-10009] When privilege separation is disabled, forwarded Unix domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. [CVE-2016-10010] Impact:A remote attacker who have control of a forwarded agent-socket on a remote system and have the ability to write files on the system running ssh-agent(1) agent can run arbitrary code under the same user credential. Because the attacker must already have some control on both systems, it is relatively hard to exploit this vulnerability in a practical attack. [CVE-2016-10009] When privilege separation is disabled (on FreeBSD, privilege separation is enabled by default and has to be explicitly disabled), an authenticated attacker can potentially gain root privileges on systems running OpenSSH server. [CVE-2016-10010] Discovery 2017-01-11 Entry 2017-01-11 Modified 2017-01-13 openssh-portable < 7.3.p1_5,1 FreeBSD ge 11.0 lt 11.0_7 ge 10.3 lt 10.3_16 CVE-2016-10009 CVE-2016-10010 SA-17:01.openssh |
2da3cb25-6571-11e9-8e67-206a8a720317 | FreeBSD -- EAP-pwd missing commit validationProblem Description:EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) does not to validate the received scalar and element values in EAP-pwd-Commit messages properly. This could result in attacks that would be able to complete EAP-pwd authentication exchange without the attacker having to know the used password. See https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt for a detailed description of the bug. Impact:All wpa_supplicant and hostapd versions with EAP-pwd support. Discovery 2019-04-10 Entry 2019-04-23 Modified 2019-07-30 FreeBSD ge 12.0 lt 12.0_3 ge 11.2 lt 11.2_9 wpa_supplicant < 2.8 hostapd < 2.8 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499 SA-19:03.wpa |
2dc764fa-40c0-11dc-aeac-02e0185f8d72 | FreeBSD -- Buffer overflow in tcpdump(1)Problem Description:An un-checked return value in the BGP dissector code can result in an integer overflow. This value is used in subsequent buffer management operations, resulting in a stack based buffer overflow under certain circumstances. Impact:By crafting malicious BGP packets, an attacker could exploit this vulnerability to execute code or crash the tcpdump process on the target system. This code would be executed in the context of the user running tcpdump(1). It should be noted that tcpdump(1) requires privileges in order to open live network interfaces. Workaround:No workaround is available. Discovery 2007-08-01 Entry 2007-08-02 Modified 2016-08-09 tcpdump < 3.9.6 FreeBSD ge 6.2 lt 6.2_7 ge 6.1 lt 6.1_19 ge 5.5 lt 5.5_15 CVE-2007-3798 SA-07:06.tcpdump |
2f794295-7b69-11dd-80ba-000bcdf0a03b | FreeBSD -- Remote kernel panics on IPv6 connectionsProblem Description:In case of an incoming ICMPv6 'Packet Too Big Message', there is an insufficient check on the proposed new MTU for a path to the destination. Impact:When the kernel is configured to process IPv6 packets and has active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet Too Big Message' could cause the TCP stack of the kernel to panic. Workaround:Systems without INET6 / IPv6 support are not vulnerable and neither are systems which do not listen on any IPv6 TCP sockets and have no active IPv6 connections. Filter ICMPv6 'Packet Too Big Messages' using a firewall, but this will at the same time break PMTU support for IPv6 connections. Discovery 2008-09-03 Entry 2008-09-05 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_4 ge 7.0 lt 7.0_4 CVE-2008-3530 SA-08:09.icmp6 |
30e4ed7b-1ca6-11da-bc01-000e0c2e438a | bind9 -- denial of service Problem description A DNSSEC-related validator function in BIND 9.3.0 contains an inappropriate internal consistency test. When this test is triggered, named(8) will exit. Impact On systems with DNSSEC enabled, a remote attacker may be able to inject a specially crafted packet that will cause the internal consistency test to trigger, and named(8) to terminate. As a result, the name server will no longer be available to service requests. Workaround DNSSEC is not enabled by default, and the "dnssec-enable" directive is not normally present. If DNSSEC has been enabled, disable it by changing the "dnssec-enable" directive to "dnssec-enable no;" in the named.conf(5) configuration file. Discovery 2005-01-25 Entry 2005-09-03 bind9 eq 9.3.0 FreeBSD ge 5.3 lt 5.3_16 938617 CVE-2005-0034 http://www.uniras.gov.uk/niscc/docs/al-20050125-00060.html?lang=en http://www.isc.org/sw/bind/bind9.3.php#security |
32498c8f-fc84-11e8-be12-a4badb2f4699 | FreeBSD -- Insufficient bounds checking in bhyve(8) device modelProblem Description:Insufficient bounds checking in one of the device models provided by bhyve(8) can permit a guest operating system to overwrite memory in the bhyve(8) processing possibly permitting arbitary code execution. Impact:A guest OS using a firmware image can cause the bhyve process to crash, or possibly execute arbitrary code on the host as root. Discovery 2018-12-04 Entry 2018-12-10 FreeBSD ge 11.2 lt 11.2_6 CVE-2018-1716 SA-18:14.bhyve |
32db37a5-50c3-11db-acf3-000c6ec775d9 | openssh -- multiple vulnerabilitiesProblem DescriptionThe CRC compensation attack detector in the sshd(8) daemon, upon receipt of duplicate blocks, uses CPU time cubic in the number of duplicate blocks received. [CVE-2006-4924] A race condition exists in a signal handler used by the sshd(8) daemon to handle the LoginGraceTime option, which can potentially cause some cleanup routines to be executed multiple times. [CVE-2006-5051] ImpactAn attacker sending specially crafted packets to sshd(8) can cause a Denial of Service by using 100% of CPU time until a connection timeout occurs. Since this attack can be performed over multiple connections simultaneously, it is possible to cause up to MaxStartups (10 by default) sshd processes to use all the CPU time they can obtain. [CVE-2006-4924] The OpenSSH project believe that the race condition can lead to a Denial of Service or potentially remote code execution, but the FreeBSD Security Team has been unable to verify the exact impact. [CVE-2006-5051] WorkaroundThe attack against the CRC compensation attack detector can be avoided by disabling SSH Protocol version 1 support in sshd_config(5). There is no workaround for the second issue. Discovery 2006-09-25 Entry 2006-09-30 FreeBSD ge 6.1 lt 6.1_10 ge 6.0 lt 6.0_15 ge 5.5 lt 5.5_8 ge 5.4 lt 5.4_22 ge 5.0 lt 5.3_37 < 4.11_25 openssh < 4.4,1 openssh-portable < 4.4.p1,1 20216 CVE-2006-4924 CVE-2006-5051 SA-06:22.openssh http://www.openssh.com/txt/release-4.4 |
3679fd10-c5d1-11e5-b85f-0018fe623f2b | openssl -- multiple vulnerabilities OpenSSL project reports:
Discovery 2016-01-22 Entry 2016-01-28 Modified 2016-08-09 openssl < 1.0.2_7 mingw32-openssl ge 1.0.1 lt 1.0.2f FreeBSD ge 10.2 lt 10.2_12 ge 10.1 lt 10.1_29 ge 9.3 lt 9.3_36 SA-16:11.openssl CVE-2016-0701 CVE-2015-3197 https://www.openssl.org/news/secadv/20160128.txt |
38f2e3a0-b61e-11ec-9ebc-1c697aa5a594 | FreeBSD -- zlib compression out-of-bounds writeProblem Description:Certain inputs can cause zlib's compression routine to overwrite an internal buffer with compressed data. This issue may require the use of uncommon or non-default compression parameters. Impact:The out-of-bounds write may result in memory corruption and an application crash or kernel panic. Discovery 2022-04-06 Entry 2022-04-07 FreeBSD ge 13.0 lt 13.0_11 ge 12.3 lt 12.3_5 CVE-2018-25032 SA-22:08.zlib |
39f6cbff-b30a-11e9-a87f-a4badb2f4699 | FreeBSD -- telnet(1) client multiple vulnerabilitiesProblem Description:Insufficient validation of environment variables in the telnet client supplied in FreeBSD can lead to stack-based buffer overflows. A stack- based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client. Inbound telnet sessions to telnetd(8) are not affected by this issue. Impact:These buffer overflows may be triggered when connecting to a malicious server, or by an active attacker in the network path between the client and server. Specially crafted TELNET command sequences may cause the execution of arbitrary code with the privileges of the user invoking telnet(1). Discovery 2019-07-24 Entry 2019-07-30 FreeBSD ge 12.0 lt 12.0_8 ge 11.2 lt 11.2_12 ge 11.3 lt 11.3_1 CVE-2019-0053 SA-19:12.telnet |
3c0237f5-420e-11e7-82c5-14dae9d210b8 | FreeBSD -- Multiple vulnerabilities of ntpProblem Description:A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6464] A vulnerability was found in NTP, in the parsing of packets from the DPTS Clock. [CVE-2017-6462] A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6463] A vulnerability was found in NTP, affecting the origin timestamp check function. [CVE-2016-9042] Impact:A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. [CVE-2017-6463, CVE-2017-6464] A malicious device could send crafted messages, causing ntpd to crash. [CVE-2017-6462] An attacker able to spoof messages from all of the configured peers could send crafted packets to ntpd, causing later replies from those peers to be discarded, resulting in denial of service. [CVE-2016-9042] Discovery 2017-04-12 Entry 2017-05-26 FreeBSD ge 11.0 lt 11.0_9 ge 10.3 lt 10.3_18 CVE-2016-9042 CVE-2017-6462 CVE-2017-6463 CVE-2017-6464 SA-17:03.ntp |
3c7edc7a-f680-11e9-a87f-a4badb2f4699 | FreeBSD -- Multiple vulnerabilities in bzip2Problem Description:The decompressor used in bzip2 contains a bug which can lead to an out-of-bounds write when processing a specially crafted bzip2(1) file. bzip2recover contains a heap use-after-free bug which can be triggered when processing a specially crafted bzip2(1) file. Impact:An attacker who can cause maliciously crafted input to be processed may trigger either of these bugs. The bzip2recover bug may cause a crash, permitting a denial-of-service. The bzip2 decompressor bug could potentially be exploited to execute arbitrary code. Note that some utilities, including the tar(1) archiver and the bspatch(1) binary patching utility (used in portsnap(8) and freebsd-update(8)) decompress bzip2(1)-compressed data internally; system administrators should assume that their systems will at some point decompress bzip2(1)-compressed data even if they never explicitly invoke the bunzip2(1) utility. Discovery 2019-08-06 Entry 2019-10-24 FreeBSD ge 12.0 lt 12.0_9 ge 11.3 lt 11.3_2 ge 11.2 lt 11.2_13 CVE-2016-3189 CVE-2019-1290 SA-19:18.bzip2 |
3c90e093-7c6e-11e2-809b-6c626d99876c | FreeBSD -- glob(3) related resource exhaustion Problem description:
Discovery 2013-02-19 Entry 2013-02-21 Modified 2016-08-09 FreeBSD ge 7.4 lt 7.4_12 ge 8.3 lt 8.3_6 ge 9.0 lt 9.0_6 ge 9.1 lt 9.1_1 SA-13:02.libc CVE-2010-2632 |
3cb6f059-c69d-11db-9f82-000e0c2e438a | bind -- Multiple Denial of Service vulnerabilitiesProblem Description:A type * (ANY) query response containing multiple RRsets can trigger an assertion failure. Certain recursive queries can cause the nameserver to crash by using memory which has already been freed. Impact:A remote attacker sending a type * (ANY) query to an authoritative DNS server for a DNSSEC signed zone can cause the named(8) daemon to exit, resulting in a Denial of Service. A remote attacker sending recursive queries can cause the nameserver to crash, resulting in a Denial of Service. Workaround:There is no workaround available, but systems which are not authoritative servers for DNSSEC signed zones are not affected by the first issue; and systems which do not permit untrusted users to perform recursive DNS resolution are not affected by the second issue. Note that the default configuration for named(8) in FreeBSD allows local access only (which on many systems is equivalent to refusing access to untrusted users). Discovery 2007-02-09 Entry 2007-02-27 Modified 2016-08-09 named < 9.3.4 FreeBSD ge 6.2 lt 6.2_1 ge 6.1 lt 6.1_13 ge 5.5 lt 5.5_11 CVE-2007-0493 CVE-2007-0494 SA-07:02.bind |
3d95c9a7-7d5c-11e3-a8c1-206a8a720317 | ntpd DRDoS / Amplification Attack using ntpdc monlist command ntp.org reports:
Discovery 2014-01-01 Entry 2014-01-14 Modified 2016-08-09 ntp < 4.2.7p26 FreeBSD ge 8.3 lt 8.3_14 ge 8.4 lt 8.4_7 ge 9.1 lt 9.1_10 ge 9.2 lt 9.2_3 CVE-2013-5211 SA-14:02.ntpd http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using |
3de342fb-40be-11dc-aeac-02e0185f8d72 | FreeBSD -- Predictable query ids in named(8)Problem Description:When named(8) is operating as a recursive DNS server or sending NOTIFY requests to slave DNS servers, named(8) uses a predictable query id. Impact:An attacker who can see the query id for some request(s) sent by named(8) is likely to be able to perform DNS cache poisoning by predicting the query id for other request(s). Workaround:No workaround is available. Discovery 2007-07-24 Entry 2007-08-02 Modified 2016-08-09 named ge 9.4 lt 9.4.1.1 ge 9.3 lt 9.3.4.1 FreeBSD ge 6.2 lt 6.2_7 ge 6.1 lt 6.1_19 ge 5.5 lt 5.5_15 CVE-2007-2926 SA-07:07.bind |
3e9d2fde-0567-11ec-b69d-4062311215d5 | FreeBSD -- Remote code execution in ggatec(8)Problem Description:The ggatec(8) daemon does not validate the size of a response before writing it to a fixed-sized buffer. This allows to overwrite the stack of ggatec(8). Impact:A malicious ggated(8) or an attacker in a priviledged network position can overwrite the stack with crafted content and potentially execute arbitrary code. Discovery 2021-08-24 Entry 2021-08-25 FreeBSD ge 13.0 lt 13.0_4 ge 12.2 lt 12.2_10 ge 11.4 lt 11.4_13 CVE-2021-29630 SA-21:14.ggatec |
3ec8f43b-e8ef-11d9-b875-0001020eed82 | kernel -- TCP connection stall denial of serviceProblem DescriptionTwo problems have been discovered in the FreeBSD TCP stack. First, when a TCP packets containing a timestamp is received, inadequate checking of sequence numbers is performed, allowing an attacker to artificially increase the internal "recent" timestamp for a connection. Second, a TCP packet with the SYN flag set is accepted for established connections, allowing an attacker to overwrite certain TCP options. ImpactUsing either of the two problems an attacker with knowledge of the local and remote IP and port numbers associated with a connection can cause a denial of service situation by stalling the TCP connection. The stalled TCP connection my be closed after some time by the other host. WorkaroundIn some cases it may be possible to defend against these attacks by blocking the attack packets using a firewall. Packets used to effect either of these attacks would have spoofed source IP addresses. Discovery 2005-06-29 Entry 2005-06-29 Modified 2016-08-09 FreeBSD ge 5.4 lt 5.4_3 ge 5.0 lt 5.3_17 ge 4.11 lt 4.11_11 < 4.10_16 637934 CVE-2005-0356 CVE-2005-2068 SA-05:15.tcp |
406779fd-ca3b-11df-aade-0050568f000c | FreeBSD -- SSL protocol flawProblem Description:The SSL version 3 and TLS protocols support session renegotiation without cryptographically tying the new session parameters to the old parameters. Discovery 2009-12-03 Entry 2010-10-24 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_14 ge 6.4 lt 6.4_8 ge 7.1 lt 7.1_9 ge 7.2 lt 7.2_5 ge 8.0 lt 8.0_1 SA-09:15.ssl |
420243e9-a840-11e7-b5af-a4badb2f4699 | FreeBSD -- heimdal KDC-REP service name validation vulnerabilityProblem Description:There is a programming error in the Heimdal implementation that used an unauthenticated, plain-text version of the KDC-REP service name found in a ticket. Impact:An attacker who has control of the network between a client and the service it talks to will be able to impersonate the service, allowing a successful man-in-the-middle (MITM) attack that circumvents the mutual authentication. Discovery 2017-07-12 Entry 2017-10-03 FreeBSD ge 11.0 lt 11.0_11 ge 10.3 lt 10.3_20 CVE-2017-1110 SA-17:05.heimdal |
43eaa656-80bc-11e6-bf52-b499baebfeaf | OpenSSL -- multiple vulnerabilities OpenSSL reports:
Discovery 2016-09-22 Entry 2016-09-22 Modified 2016-10-11 openssl-devel ge 1.1.0 lt 1.1.0_1 openssl < 1.0.2i,1 linux-c6-openssl < 1.0.1e_11 FreeBSD ge 10.3 lt 10.3_8 ge 10.2 lt 10.2_21 ge 10.1 lt 10.1_38 ge 9.3 lt 9.3_46 https://www.openssl.org/news/secadv/20160922.txt CVE-2016-6304 CVE-2016-6305 CVE-2016-2183 CVE-2016-6303 CVE-2016-6302 CVE-2016-2182 CVE-2016-2180 CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2181 CVE-2016-6306 CVE-2016-6307 CVE-2016-6308 SA-16:26.openssl |
44449bf7-c69b-11db-9f82-000e0c2e438a | gtar -- name mangling symlink vulnerabilityProblem Description:Symlinks created using the "GNUTYPE_NAMES" tar extension can be absolute due to lack of proper sanity checks. Impact:If an attacker can get a user to extract a specially crafted tar archive the attacker can overwrite arbitrary files with the permissions of the user running gtar. If file system permissions allow it, this may allow the attacker to overwrite important system file (if gtar is being run as root), or important user configuration files such as .tcshrc or .bashrc, which would allow the attacker to run arbitrary commands. Workaround:Use "bsdtar", which is the default tar implementation in FreeBSD 5.3 and higher. For FreeBSD 4.x, bsdtar is available in the FreeBSD Ports Collection as ports/archivers/libarchive. Discovery 2006-12-06 Entry 2007-02-27 Modified 2016-08-09 FreeBSD ge 5.5 lt 5.5_9 ge 4.11 lt 4.11_26 CVE-2006-6097 SA-06:26.gtar |
446dbecb-9edc-11d8-9366-0020ed76ef5a | heimdal kadmind remote heap buffer overflow An input validation error was discovered in the kadmind code that handles the framing of Kerberos 4 compatibility administration requests. The code assumed that the length given in the framing was always two or more bytes. Smaller lengths will cause kadmind to read an arbitrary amount of data into a minimally-sized buffer on the heap. A remote attacker may send a specially formatted message to kadmind, causing it to crash or possibly resulting in arbitrary code execution. The kadmind daemon is part of Kerberos 5 support. However, this bug will only be present if kadmind was built with additional Kerberos 4 support. Thus, only systems that have *both* Heimdal Kerberos 5 and Kerberos 4 installed might be affected. NOTE: On FreeBSD 4 systems, `kadmind' may be installed as `k5admind'. Discovery 2004-05-05 Entry 2004-05-05 heimdal < 0.6.1_1 FreeBSD ge 4.9 lt 4.9_7 ge 4.0 lt 4.8_20 CVE-2004-0434 SA-04:09.kadmind |
45671c0e-a652-11e8-805b-a4badb2f4699 | FreeBSD -- Unauthenticated EAPOL-Key Decryption VulnerabilityProblem Description:When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC flag set, the data field was decrypted first without verifying the MIC. When the dta field was encrypted using RC4, for example, when negotiating TKIP as a pairwise cipher, the unauthenticated but decrypted data was subsequently processed. This opened wpa_supplicant(8) to abuse by decryption and recovery of sensitive information contained in EAPOL-Key messages. See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt for a detailed description of the bug. Impact:All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for example, the group key. Discovery 2018-08-14 Entry 2018-08-22 FreeBSD ge 11.2 lt 11.2_2 ge 11.1 lt 11.1_13 ge 10.4 lt 10.4_11 CVE-2018-1452 SA-18:11.hostapd |
45a95fdd-f680-11e9-a87f-a4badb2f4699 | FreeBSD -- Insufficient message length validation in bsnmp libraryProblem Description:A function extracting the length from type-length-value encoding is not properly validating the submitted length. Impact:A remote user could cause, for example, an out-of-bounds read, decoding of unrelated data, or trigger a crash of the software such as bsnmpd resulting in a denial of service. Discovery 2019-08-06 Entry 2019-10-24 FreeBSD ge 12.0 lt 12.0_9 ge 11.3 lt 11.3_2 ge 11.2 lt 11.2_13 CVE-2019-5610 SA-19:20.bsnmp |
4671cdc9-7c6d-11e2-809b-6c626d99876c | FreeBSD -- BIND remote DoS with deliberately crafted DNS64 query Problem description:
Discovery 2013-02-19 Entry 2013-02-21 FreeBSD ge 9.0 lt 9.0_6 ge 9.1 lt 9.1_1 SA-13:01.bind CVE-2012-5688 |
46b922a8-c69c-11db-9f82-000e0c2e438a | FreeBSD -- Jail rc.d script privilege escalationProblem Description:In multiple situations the host's jail rc.d(8) script does not check if a path inside the jail file system structure is a symbolic link before using the path. In particular this is the case when writing the output from the jail start-up to /var/log/console.log and when mounting and unmounting file systems inside the jail directory structure. Impact:Due to the lack of handling of potential symbolic links the host's jail rc.d(8) script is vulnerable to "symlink attacks". By replacing /var/log/console.log inside the jail with a symbolic link it is possible for the superuser (root) inside the jail to overwrite files on the host system outside the jail with arbitrary content. This in turn can be used to execute arbitrary commands with non-jailed superuser privileges. Similarly, by changing directory mount points inside the jail file system structure into symbolic links, it may be possible for a jailed attacker to mount file systems which were meant to be mounted inside the jail at arbitrary points in the host file system structure, or to unmount arbitrary file systems on the host system. NOTE WELL: The above vulnerabilities occur only when a jail is being started or stopped using the host's jail rc.d(8) script; once started (and until stopped), running jails cannot exploit this. Workaround:If the sysctl(8) variable security.jail.chflags_allowed is set to 0 (the default), setting the "sunlnk" system flag on /var, /var/log, /var/log/console.log, and all file system mount points and their parent directories inside the jail(s) will ensure that the console log file and mount points are not replaced by symbolic links. If this is done while jails are running, the administrator must check that an attacker has not replaced any directories with symlinks after setting the "sunlnk" flag. Discovery 2007-01-11 Entry 2007-02-27 Modified 2016-08-09 FreeBSD ge 6.1 lt 6.1_12 ge 6.0 lt 6.0_17 ge 5.5 lt 5.5_15 CVE-2007-0166 SA-07:01.jail |
48103b0a-ca3f-11df-aade-0050568f000c | FreeBSD -- ntpd mode 7 denial of serviceProblem Description:If ntpd receives a mode 7 (MODE_PRIVATE) request or error response from a source address not listed in either a 'restrict ... noquery' or a 'restrict ... ignore' section it will log the even and send a mode 7 error response. Discovery 2010-01-06 Entry 2010-10-24 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_15 ge 6.4 lt 6.4_9 ge 7.1 lt 7.1_10 ge 7.2 lt 7.2_6 ge 8.0 lt 8.0_2 SA-10:02.ntpd |
4b79538b-a450-11e2-9898-001060e06fd4 | FreeBSD -- Multiple Denial of Service vulnerabilities with named(8) Problem description:
Discovery 2012-11-22 Entry 2012-11-24 FreeBSD ge 7.4 lt 7.4_11 ge 8.3 lt 8.3_5 ge 9.0 lt 9.0_5 SA-12:06.bind CVE-2012-4244 CVE-2012-5166 |
4c8d1d72-9b38-11e5-aece-d050996490d0 | openssl -- multiple vulnerabilities OpenSSL project reports:
Discovery 2015-12-03 Entry 2015-12-05 Modified 2016-08-09 openssl < 1.0.2_5 mingw32-openssl ge 1.0.1 lt 1.0.2e linux-c6-openssl < 1.0.1e_7 FreeBSD ge 10.2 lt 10.2_8 ge 10.1 lt 10.1_25 ge 9.3 lt 9.3_31 SA-15:26.openssl CVE-2015-1794 CVE-2015-3193 CVE-2015-3194 CVE-2015-3195 CVE-2015-3196 https://www.openssl.org/news/secadv/20151203.txt |
4c96ecf2-5fd9-11e6-a6c3-14dae9d210b8 | FreeBSD -- bsnmpd remote denial of service vulnerability Problem Description: The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it has received a specifically crafted GETBULK PDU request. Impact: This issue could be exploited to execute arbitrary code in the context of the service daemon, or crash the service daemon, causing a denial-of-service. Discovery 2014-01-14 Entry 2016-08-11 FreeBSD ge 9.2 lt 9.2_3 ge 9.1 lt 9.1_10 ge 8.4 lt 8.4_7 ge 8.3 lt 8.3_14 CVE-2014-1452 SA-14:01.bsnmpd |
4d87d357-202c-11e3-be06-000c29ee3065 | FreeBSD -- Insufficient credential checks in network ioctl(2) Problem Description: As is commonly the case, the IPv6 and ATM network layer ioctl request handlers are written in such a way that an unrecognized request is passed on unmodified to the link layer, which will either handle it or return an error code. Network interface drivers, however, assume that the SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been handled at the network layer, and therefore do not perform input validation or verify the caller's credentials. Typical link-layer actions for these requests may include marking the interface as "up" and resetting the underlying hardware. Impact: An unprivileged user with the ability to run arbitrary code can cause any network interface in the system to perform the link layer actions associated with a SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR or SIOCSIFNETMASK ioctl request; or trigger a kernel panic by passing a specially crafted address structure which causes a network interface driver to dereference an invalid pointer. Although this has not been confirmed, the possibility that an attacker may be able to execute arbitrary code in kernel context cannot be ruled out. Discovery 2013-09-10 Entry 2013-09-19 Modified 2016-08-09 FreeBSD ge 9.1 lt 9.1_7 ge 8.4 lt 8.4_4 ge 8.3 lt 8.3_11 CVE-2013-5691 SA-13:12.ifioctl |
4ddc78dc-300a-11e1-a2aa-0016ce01e285 | krb5-appl -- telnetd code execution vulnerability The MIT Kerberos Team reports:
Discovery 2011-12-23 Entry 2011-12-26 Modified 2012-01-29 FreeBSD ge 7.3 lt 7.3_9 ge 7.4 lt 7.4_5 ge 8.1 lt 8.1_7 ge 8.2 lt 8.2_5 krb5-appl < 1.0.2_1 SA-11:08.telnetd CVE-2011-4862 http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt |
4e536c14-9791-11e4-977d-d050992ecde8 | OpenSSL -- multiple vulnerabilities OpenSSL project reports:
Discovery 2015-01-08 Entry 2015-01-08 Modified 2016-08-09 openssl ge 1.0.1 lt 1.0.1_17 mingw32-openssl ge 1.0.1 lt 1.0.1k linux-c6-openssl < 1.0.1e_3 FreeBSD ge 10.1 lt 10.1_4 ge 10.0 lt 10.0_16 ge 9.3 lt 9.3_8 ge 8.4 lt 8.4_22 SA-15:01.openssl CVE-2014-3569 CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206 https://www.openssl.org/news/secadv_20150108.txt |
4eae4f46-b5ce-11e5-8a2b-d050996490d0 | ntp -- denial of service vulnerability Network Time Foundation reports:
Discovery 2015-10-21 Entry 2016-01-08 Modified 2016-08-09 ntp < 4.2.8p5 ntp-devel < 4.3.78 FreeBSD ge 10.2 lt 10.2_9 ge 10.1 lt 10.1_26 ge 9.3 lt 9.3_33 SA-16:02.ntp CVE-2015-5300 https://www.cs.bu.edu/~goldbe/NTPattack.html http://support.ntp.org/bin/view/Main/NtpBug2956 http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p5_Securit |
50383bde-b25b-11de-8c83-02e0185f8d72 | FreeBSD -- Devfs / VFS NULL pointer race conditionProblem Description:Due to the interaction between devfs and VFS, a race condition exists where the kernel might dereference a NULL pointer. Impact:Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system. Workaround:An errata note, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available. Discovery 2009-10-02 Entry 2009-10-06 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_13 ge 6.4 lt 6.4_7 ge 7.1 lt 7.1_8 ge 7.2 lt 7.2_4 SA-09:14.devfs |
5237f5d7-c020-11e5-b397-d050996490d0 | ntp -- multiple vulnerabilities Network Time Foundation reports:
Discovery 2016-01-20 Entry 2016-01-21 Modified 2016-08-09 ntp < 4.2.8p6 ntp-devel < 4.3.90 FreeBSD ge 10.2 lt 10.2_11 ge 10.1 lt 10.1_28 ge 9.3 lt 9.3_35 SA-16:09.ntp CVE-2015-7973 CVE-2015-7974 CVE-2015-7975 CVE-2015-7976 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8138 CVE-2015-8139 CVE-2015-8140 CVE-2015-8158 http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit |
52ba7713-9d42-11da-8c1d-000e0c2e438a | pf -- IP fragment handling panic Problem description: A logic bug in pf's IP fragment cache may result in a packet fragment being inserted twice, violating a kernel invariant. Impact: By sending carefully crafted sequence of IP packet fragments, a remote attacker can cause a system running pf with a ruleset containing a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash. Workaround: Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules on systems running pf. In most cases, such rules can be replaced by 'scrub fragment reassemble' rules; see the pf.conf(5) manual page for more details. Systems which do not use pf, or use pf but do not use the aforementioned rules, are not affected by this issue. Discovery 2006-01-25 Entry 2006-02-14 Modified 2016-08-09 FreeBSD ge 6.0 lt 6.0_4 ge 5.4 lt 5.4_10 ge 5.3 lt 5.3_25 CVE-2006-0381 SA-06:07.pf |
5536c8e4-36b3-11e2-a633-902b343deec9 | FreeBSD -- Linux compatibility layer input validation error Problem description:
Discovery 2012-11-22 Entry 2012-11-24 FreeBSD ge 7.4 lt 7.4_11 ge 8.3 lt 8.3_5 ge 9.0 lt 9.0_5 SA-12:08.linux CVE-2012-4576 |
5631ae98-be9e-11e3-b5e3-c80aa9043978 | OpenSSL -- Remote Information Disclosure OpenSSL Reports:
Discovery 2014-04-07 Entry 2014-04-07 Modified 2014-04-11 openssl ge 1.0.1 lt 1.0.1_10 mingw32-openssl ge 1.0.1 lt 1.0.1g FreeBSD ge 10.0 lt 10.0_1 CVE-2014-0160 SA-14:06.openssl https://www.openssl.org/news/secadv_20140407.txt https://www.openssl.org/news/vulnerabilities.html#2014-0076 http://www.heartbleed.com |
5796858d-db0b-11dd-aa56-000bcdf0a03b | FreeBSD -- arc4random(9) predictable sequence vulnerabilityProblem Description:When the arc4random(9) random number generator is initialized, there may be inadequate entropy to meet the needs of kernel systems which rely on arc4random(9); and it may take up to 5 minutes before arc4random(9) is reseeded with secure entropy from the Yarrow random number generator. Impact:All security-related kernel subsystems that rely on a quality random number generator are subject to a wide range of possible attacks for the 300 seconds after boot or until 64k of random data is consumed. The list includes: * GEOM ELI providers with onetime keys. When a provider is configured in a way so that it gets attached at the same time during boot (e.g. it uses the rc subsystem to initialize) it might be possible for an attacker to recover the encrypted data. * GEOM shsec providers. The GEOM shsec subsytem is used to split a shared secret between two providers so that it can be recovered when both of them are present. This is done by writing the random sequence to one of providers while appending the result of the random sequence on the other host to the original data. If the provider was created within the first 300 seconds after booting, it might be possible for an attacker to extract the original data with access to only one of the two providers between which the secret data is split. * System processes started early after boot may receive predictable IDs. * The 802.11 network stack uses arc4random(9) to generate initial vectors (IV) for WEP encryption when operating in client mode and WEP authentication challenges when operating in hostap mode, which may be insecure. * The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality random number generator to produce unpredictable IP packet identifiers, initial TCP sequence numbers and outgoing port numbers. During the first 300 seconds after booting, it may be easier for an attacker to execute IP session hijacking, OS fingerprinting, idle scanning, or in some cases DNS cache poisoning and blind TCP data injection attacks. * The kernel RPC code uses arc4random(9) to retrieve transaction identifiers, which might make RPC clients vulnerable to hijacking attacks. Workaround:No workaround is available for affected systems. Discovery 2008-11-24 Entry 2009-01-05 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_6 ge 7.0 lt 7.0_6 CVE-2008-5162 SA-08.11.arc4random |
58033a95-bba8-11e4-88ae-d050992ecde8 | bind -- denial of service vulnerability ISC reports:
Discovery 2015-02-18 Entry 2015-02-23 Modified 2016-08-09 bind910 bind910-base < 9.10.1P2 bind99 bind99-base < 9.9.6P2 FreeBSD ge 9.3 lt 9.3_10 ge 8.4 lt 8.4_24 SA-15:05.bind CVE-2015-1349 https://kb.isc.org/article/AA-01235 |
591a706b-5cdc-11ea-9a0a-206a8a720317 | ntp -- Multiple vulnerabilities nwtime.org reports:
Discovery 2019-05-30 Entry 2020-03-03 FreeBSD ge 11.3 lt 11.3_7 ge 12.1 lt 12.1_3 ntp < 4.2.8p14 ntp-devel le 4.3.99_6 SA-20:09.ntp |
5a668ab3-8d86-11eb-b8d6-d4c9ef517024 | OpenSSL -- Multiple vulnerabilities The OpenSSL project reports:
Discovery 2021-03-25 Entry 2021-03-26 Modified 2021-04-07 openssl < 1.1.1k,1 FreeBSD ge 12.2 lt 12.2_5 https://www.openssl.org/news/secadv/20210325.txt CVE-2021-3449 CVE-2021-3450 SA-21:07.openssl |
5ac53801-ec2e-11e3-9cf3-3c970e169bc2 | OpenSSL -- multiple vulnerabilities The OpenSSL Project reports:
Discovery 2014-06-05 Entry 2014-06-05 openssl ge 1.0.1 lt 1.0.1_13 mingw32-openssl ge 1.0.1 lt 1.0.1h FreeBSD ge 8.0 lt 8.4_12 ge 9.1 lt 9.1_15 ge 9.2 lt 9.2_8 ge 10.0 lt 10.0_5 CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 SA-14:14.openssl http://www.openssl.org/news/secadv_20140605.txt |
5b74a5bc-348f-11e5-ba05-c80aa9043978 | OpenSSH -- MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices
Discovery 2015-07-21 Entry 2015-07-27 Modified 2016-08-09 openssh-portable < 6.9.p1_2,1 FreeBSD ge 10.1 lt 10.1_16 ge 9.3 lt 9.3_21 ge 8.4 lt 8.4_36 https://access.redhat.com/security/cve/CVE-2015-5600 CVE-2015-5600 SA-15:16.openssh |
5c554c0f-c69a-11db-9f82-000e0c2e438a | FreeBSD -- Kernel memory disclosure in firewire(4)Problem Description:In the FW_GCROM ioctl, a signed integer comparison is used instead of an unsigned integer comparison when computing the length of a buffer to be copied from the kernel into the calling application. Impact:A user in the "operator" group can read the contents of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password. Workaround:No workaround is available, but systems without IEEE 1394 ("FireWire") interfaces are not vulnerable. (Note that systems with IEEE 1394 interfaces are affected regardless of whether any devices are attached.) Note also that FreeBSD does not have any non-root users in the "operator" group by default; systems on which no users have been added to this group are therefore also not vulnerable. Discovery 2006-12-06 Entry 2007-02-27 Modified 2016-08-09 FreeBSD ge 6.1 lt 6.1_11 ge 6.0 lt 6.2_16 ge 5.5 lt 5.5_9 ge 4.11 lt 4.11_26 CVE-2006-6013 SA-06:25.kmem |
60129efe-656d-11e9-8e67-206a8a720317 | FreeBSD -- EAP-pwd side-channel attackProblem Description:Potential side channel attacks in the SAE implementations used by both hostapd and wpa_supplicant (see CVE-2019-9494 and VU#871675). EAP-pwd uses a similar design for deriving PWE from the password and while a specific attack against EAP-pwd is not yet known to be tested, there is no reason to believe that the EAP-pwd implementation would be immune against the type of cache attack that was identified for the SAE implementation. Since the EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) does not support MODP groups, the timing attack described against SAE is not applicable for the EAP-pwd implementation. See https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt for a detailed description of the bug. Impact:All wpa_supplicant and hostapd versions with EAP-pwd support (CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled in the runtime configuration). Discovery 2019-04-10 Entry 2019-04-23 FreeBSD ge 12.0 lt 12.0_3 ge 11.2 lt 11.2_9 wpa_supplicant < 2.8 hostapd < 2.8 CVE-2019-9495 |
60e26a40-3b25-11da-9484-00123ffe8333 | openssl -- potential SSL 2.0 rollback Vulnerability:
Discovery 2005-10-11 Entry 2005-10-12 Modified 2005-10-25 openssl openssl-overwrite-base le 0.9.7g ge 0.9.8 le 0.9.8_1 ge 0.9.*_20050325 le 0.9.*_20051011 openssl-beta openssl-beta-overwrite-base le 0.9.8_1 ge 0.9.*_20050325 le 0.9.*_20051011 compat5x-alpha compat5x-amd64 compat5x-i386 compat5x-sparc64 < 5.4.0.8 FreeBSD < 4.10_19 ge 4.11 lt 4.11_13 ge 5.3 lt 5.3_23 ge 5.4 lt 5.4_8 SA-05:21.openssl CVE-2005-2969 http://www.openssl.org/news/secadv_20051011.txt |
6111ecb8-b20d-11da-b2fb-000e0c2e438a | nfs -- remote denial of serviceProblem description:A part of the NFS server code charged with handling incoming RPC messages via TCP had an error which, when the server received a message with a zero-length payload, would cause a NULL pointer dereference which results in a kernel panic. The kernel will only process the RPC messages if a userland nfsd daemon is running. Impact:The NULL pointer deference allows a remote attacker capable of sending RPC messages to an affected FreeBSD system to crash the FreeBSD system. Workaround:
Discovery 2006-03-01 Entry 2006-03-12 Modified 2016-08-09 FreeBSD ge 6.0 lt 6.0_5 ge 5.4 lt 5.4_12 ge 5.3 lt 5.3_27 ge 4.11 lt 4.11_15 ge 4.10 lt 4.10_21 CVE-2006-0900 SA-06:10.nfs |
63bd4bad-dffe-11d9-b875-0001020eed82 | gzip -- directory traversal and permission race vulnerabilitiesProblem DescriptionTwo problems related to extraction of files exist in gzip: The first problem is that gzip does not properly sanitize filenames containing "/" when uncompressing files using the -N command line option. The second problem is that gzip does not set permissions on newly extracted files until after the file has been created and the file descriptor has been closed. ImpactThe first problem can allow an attacker to overwrite arbitrary local files when uncompressing a file using the -N command line option. The second problem can allow a local attacker to change the permissions of arbitrary local files, on the same partition as the one the user is uncompressing a file on, by removing the file the user is uncompressing and replacing it with a hardlink before the uncompress operation is finished. WorkaroundDo not use the -N command line option on untrusted files and do not uncompress files in directories where untrusted users have write access. Discovery 2005-04-20 Entry 2005-06-18 Modified 2005-07-06 FreeBSD ge 5.4 lt 5.4_2 ge 5.0 lt 5.3_16 ge 4.11 lt 4.11_10 ge 4.10 lt 4.10_15 ge 4.9 lt 4.9_18 < 4.8_33 gzip < 1.3.5_2 CVE-2005-0988 CVE-2005-1228 SA-05:11.gzip http://marc.theaimsgroup.com/?l=bugtraq&m=111271860708210 http://marc.theaimsgroup.com/?l=bugtraq&m=111402732406477 |
655ee1ec-511b-11dd-80ba-000bcdf0a03b | FreeBSD -- DNS cache poisoningProblem Description:The BIND DNS implementation does not randomize the UDP source port when doing remote queries, and the query id alone does not provide adequate randomization. Impact:The lack of source port randomization reduces the amount of data the attacker needs to guess in order to successfully execute a DNS cache poisoning attack. This allows the attacker to influence or control the results of DNS queries being returned to users from target systems. Workaround:Limiting the group of machines that can do recursive queries on the DNS server will make it more difficult, but not impossible, for this vulnerability to be exploited. To limit the machines able to perform recursive queries, add an ACL in named.conf and limit recursion like the following: acl example-acl { 192.0.2.0/24; }; options { recursion yes; allow-recursion { example-acl; }; }; Discovery 2008-07-08 Entry 2008-07-13 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_3 ge 7.0 lt 7.0_3 800113 CVE-2008-1447 SA-08:06.bind |
67710833-1626-11d9-bc4a-000c41e2cdad | Boundary checking errors in syscons The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of its input arguments. In particular, negative coordinates or large coordinates may cause unexpected behavior. It may be possible to cause the CONS_SCRSHOT ioctl to return portions of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. This bug may be exploitable by users who have access to the physical console or can otherwise open a /dev/ttyv* device node. Discovery 2004-09-30 Entry 2004-10-04 FreeBSD ge 5.0 lt 5.2.1_11 CVE-2004-0919 SA-04:15.syscons https://svnweb.freebsd.org/changeset/base/135942 |
68233cba-7774-11d8-89ed-0020ed76ef5a | OpenSSL ChangeCipherSpec denial-of-service vulnerability A remote attacker could cause an application using OpenSSL to crash by performing a specially crafted SSL/TLS handshake. Discovery 2004-03-17 Entry 2004-03-17 Modified 2004-05-05 openssl openssl-beta < 0.9.7d FreeBSD ge 4.0 lt 4.8_17 ge 4.9 lt 4.9_4 ge 5.0 lt 5.1_16 ge 5.2 lt 5.2.1_3 CVE-2004-0079 http://www.openssl.org/news/secadv_20040317.txt SA-04:05.openssl 288574 9899 |
69bfc852-9bd0-11e2-a7be-8c705af55518 | FreeBSD -- OpenSSL multiple vulnerabilities
Discovery 2013-04-02 Entry 2013-04-02 Modified 2016-08-09 FreeBSD ge 8.3 lt 8.3_7 ge 9.0 lt 9.0_7 ge 9.1 lt 9.1_2 CVE-2013-0166 CVE-2013-0169 SA-13:03.openssl http://www.openssl.org/news/secadv_20130205.txt |
6a2cfcdc-9dea-11e6-a298-14dae9d210b8 | FreeBSD -- OpenSSH Remote Denial of Service vulnerabilityProblem Description:When processing the SSH_MSG_KEXINIT message, the server could allocate up to a few hundreds of megabytes of memory per each connection, before any authentication take place. Impact:A remote attacker may be able to cause a SSH server to allocate an excessive amount of memory. Note that the default MaxStartups setting on FreeBSD will limit the effectiveness of this attack. Discovery 2016-10-19 Entry 2016-10-29 Modified 2016-11-02 openssh-portable < 7.3p1_1 FreeBSD ge 11.0 lt 11.0_3 ge 10.3 lt 10.3_12 http://seclists.org/oss-sec/2016/q4/191 CVE-2016-8858 SA-16:33.openssh |
6a308e8e-b1b4-11da-b2fb-000e0c2e438a | openssh -- remote denial of serviceProblem description:Because OpenSSH and OpenPAM have conflicting designs (one is event- driven while the other is callback-driven), it is necessary for OpenSSH to fork a child process to handle calls to the PAM framework. However, if the unprivileged child terminates while PAM authentication is under way, the parent process incorrectly believes that the PAM child also terminated. The parent process then terminates, and the PAM child is left behind. Due to the way OpenSSH performs internal accounting, these orphaned PAM children are counted as pending connections by the master OpenSSH server process. Once a certain number of orphans has accumulated, the master decides that it is overloaded and stops accepting client connections. Impact:By repeatedly connecting to a vulnerable server, waiting for a password prompt, and closing the connection, an attacker can cause OpenSSH to stop accepting client connections until the system restarts or an administrator manually kills the orphaned PAM processes. Workaround:The following command will show a list of orphaned PAM processes: # pgrep -lf 'sshd.*\[pam\]' The following command will kill orphaned PAM processes: # pkill -f 'sshd.*\[pam\]' To prevent OpenSSH from leaving orphaned PAM processes behind, perform one of the following:
Discovery 2006-03-01 Entry 2006-03-12 Modified 2016-08-09 FreeBSD ge 5.4 lt 5.4_12 ge 5.3 lt 5.3_27 CVE-2006-0883 SA-06:09.openssh |
6b0215ae-8f26-11da-8c1d-000e0c2e438a | cpio -- multiple vulnerabilities Problem description: A number of issues has been discovered in cpio: When creating a new file, cpio closes the file before setting its permissions. (CVE-2005-1111) When extracting files cpio does not properly sanitize file names to filter out ".." components, even if the --no-absolute-filenames option is used. (CVE-2005-1229) When adding large files (larger than 4 GB) to a cpio archive on 64-bit platforms an internal buffer might overflow. (CVE-2005-4268) Impact The first problem can allow a local attacker to change the permissions of files owned by the user executing cpio providing that they have write access to the directory in which the file is being extracted. (CVE-2005-1111) The lack of proper file name sanitation can allow an attacker to overwrite arbitrary local files when extracting files from a cpio archive. (CVE-2005-1229) The buffer-overflow on 64-bit platforms could lead cpio to a Denial-of-Service situation (crash) or possibly execute arbitrary code with the permissions of the user running cpio. (CVE-2005-4268) Workaround Use a different utility to create and extract cpio archives, for example pax(1) or (on FreeBSD 5.3 or later) tar(1). If this is not possible, do not extract untrusted archives and when running on 64-bit platforms do not add untrusted files to cpio archives. Discovery 2006-01-11 Entry 2006-01-27 FreeBSD ge 6.0 lt 6.0_2 ge 5.4 lt 5.4_9 ge 5.3 lt 5.3_24 ge 4.11 lt 4.11_14 ge 4.10 lt 4.10_20 CVE-2005-1111 CVE-2005-1229 CVE-2005-4268 SA-06:03.cpio |
6b6ca5b6-6007-11e6-a6c3-14dae9d210b8 | FreeBSD -- devfs rules not applied by default for jailsProblem Description:The default devfs rulesets are not loaded on boot, even when jails are used. Device nodes will be created in the jail with their normal default access permissions, while most of them should be hidden and inaccessible. Impact:Jailed processes can get access to restricted resources on the host system. For jailed processes running with superuser privileges this implies access to all devices on the system. This level of access could lead to information leakage and privilege escalation. Discovery 2014-04-30 Entry 2016-08-11 FreeBSD ge 10.0 lt 10.0_2 CVE-2014-3001 SA-14:07.devfs |
6b8cadce-db0b-11dd-aa56-000bcdf0a03b | FreeBSD -- IPv6 Neighbor Discovery Protocol routing vulnerabilityProblem DescriptionIPv6 routers may allow "on-link" IPv6 nodes to create and update the router's neighbor cache and forwarding information. A malicious IPv6 node sharing a common router but on a different physical segment from another node may be able to spoof Neighbor Discovery messages, allowing it to update router information for the victim node. Impact:An attacker on a different physical network connected to the same IPv6 router as another node could redirect IPv6 traffic intended for that node. This could lead to denial of service or improper access to private network traffic. Workaround:Firewall packet filters can be used to filter incoming Neighbor Solicitation messages but may interfere with normal IPv6 operation if not configured carefully. Reverse path forwarding checks could be used to make gateways, such as routers or firewalls, drop Neighbor Solicitation messages from nodes with unexpected source addresses on a particular interface. IPv6 router administrators are encouraged to read RFC 3756 for further discussion of Neighbor Discovery security implications. Discovery 2008-10-01 Entry 2009-01-05 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_5 ge 7.0 lt 7.0_5 CVE-2008-2476 SA-08:10.nd6 |
6bedc863-9fbe-11e8-945f-206a8a720317 | wpa_supplicant -- unauthenticated encrypted EAPOL-Key data SO-AND-SO reports:
Discovery 2018-08-08 Entry 2018-08-14 wpa_supplicant < 2.6_2 FreeBSD le 10.4_10 le 11.2_1 https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt CVE-2018-14526 |
6d334fdb-f7e7-11ea-88f8-901b0ef719ab | FreeBSD -- ftpd privilege escalation via ftpchroot featureProblem Description:A ftpd(8) bug in the implementation of the file system sandbox, combined with capabilities available to an authenticated FTP user, can be used to escape the file system restriction configured in ftpchroot(5). Moreover, the bug allows a malicious client to gain root privileges. Impact:A malicious FTP user can gain privileged access to an affected system. Discovery 2020-09-15 Entry 2020-09-16 FreeBSD ge 12.1 lt 12.1_10 ge 11.4 lt 11.4_4 ge 11.3 lt 11.3_14 CVE-2020-7468 SA-20:30.ftpd |
6d4e4759-7b67-11dd-80ba-000bcdf0a03b | FreeBSD -- amd64 swapgs local privilege escalationProblem Description:If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed. Impact:A local attacker can by causing a General Protection Fault while the kernel is returning from an interrupt, trap or system call while manipulating stack frames and, run arbitrary code with kernel privileges. The vulnerability can be used to gain kernel / supervisor privilege. This can for example be used by normal users to gain root privileges, to break out of jails, or bypass Mandatory Access Control (MAC) restrictions. Workaround:No workaround is available, but only systems running the 64 bit FreeBSD/amd64 kernels are vulnerable. Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 kernel are not vulnerable. Discovery 2008-09-03 Entry 2008-09-05 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_4 ge 7.0 lt 7.0_4 CVE-2008-3890 SA-08:07.amd64 |
6d9eadaf-6007-11e6-a6c3-14dae9d210b8 | FreeBSD -- sendmail improper close-on-exec flag handlingProblem Description:There is a programming error in sendmail(8) that prevented open file descriptors have close-on-exec properly set. Consequently a subprocess will be able to access all open files that the parent process have open. Impact:A local user who can execute their own program for mail delivery will be able to interfere with an open SMTP connection. Discovery 2014-06-03 Entry 2016-08-11 FreeBSD ge 10.0 lt 10.0_4 ge 9.2 lt 9.2_7 ge 9.1 lt 9.1_14 ge 8.4 lt 8.4_11 SA-14:11.sendmail |
6e87b696-ca3e-11df-aade-0050568f000c | FreeBSD -- Inappropriate directory permissions in freebsd-update(8)Problem Description:When downloading updates to FreeBSD via 'freebsd-update fetch' or 'freebsd-update upgrade', the freebsd-update(8) utility copies currently installed files into its working directory (/var/db/freebsd-update by default) both for the purpose of merging changes to configuration files and in order to be able to roll back installed updates. The default working directory used by freebsd-update(8) is normally created during the installation of FreeBSD with permissions which allow all local users to see its contents, and freebsd-update(8) does not take any steps to restrict access to files stored in said directory. Discovery 2009-12-03 Entry 2010-10-24 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_14 ge 6.4 lt 6.4_8 ge 7.1 lt 7.1_9 ge 7.2 lt 7.2_5 ge 8.0 lt 8.0_1 SA-09:17.freebsd-update |
6e8f9003-6007-11e6-a6c3-14dae9d210b8 | FreeBSD -- Incorrect error handling in PAM policy parserProblem Description:The OpenPAM library searches for policy definitions in several locations. While doing so, the absence of a policy file is a soft failure (handled by searching in the next location) while the presence of an invalid file is a hard failure (handled by returning an error to the caller). The policy parser returns the same error code (ENOENT) when a syntactically valid policy references a non-existent module as when the requested policy file does not exist. The search loop regards this as a soft failure and looks for the next similarly-named policy, without discarding the partially-loaded configuration. A similar issue can arise if a policy contains an include directive that refers to a non-existent policy. Impact:If a module is removed, or the name of a module is misspelled in the policy file, the PAM library will proceed with a partially loaded configuration. Depending on the exact circumstances, this may result in a fail-open scenario where users are allowed to log in without a password, or with an incorrect password. In particular, if a policy references a module installed by a package or port, and that package or port is being reinstalled or upgraded, there is a brief window of time during which the module is absent and policies that use it may fail open. This can be especially damaging to Internet-facing SSH servers, which are regularly subjected to brute-force scans. Discovery 2014-06-03 Entry 2016-08-11 FreeBSD ge 9.2 lt 9.2_7 ge 10.0 lt 10.0_4 CVE-2014-3879 SA-14:13.pam |
6ed5c5e3-a840-11e7-b5af-a4badb2f4699 | FreeBSD -- OpenSSH Denial of Service vulnerabilityProblem Description:There is no limit on the password length. Impact:A remote attacker may be able to cause an affected SSH server to use excessive amount of CPU by sending very long passwords, when PasswordAuthentication is enabled by the system administrator. Discovery 2017-08-10 Entry 2017-10-03 FreeBSD ge 11.1 lt 11.1_1 ge 11.0 lt 11.0_12 ge 10.3 lt 10.3_21 CVE-2016-6515 SA-17:06.openssh |
6f91a709-6007-11e6-a6c3-14dae9d210b8 | FreeBSD -- iconv(3) NULL pointer dereference and out-of-bounds array accessProblem Description:A NULL pointer dereference in the initialization code of the HZ module and an out of bounds array access in the initialization code of the VIQR module make iconv_open(3) calls involving HZ or VIQR result in an application crash. Impact:Services where an attacker can control the arguments of an iconv_open(3) call can be caused to crash resulting in a denial-of-service. For example, an email encoded in HZ may cause an email delivery service to crash if it converts emails to a more generic encoding like UTF-8 before applying filtering rules. Discovery 2014-06-24 Entry 2016-08-11 FreeBSD ge 10.0 lt 10.0_6 CVE-2014-3951 SA-14:15.iconv |
70140f20-6007-11e6-a6c3-14dae9d210b8 | FreeBSD -- Multiple vulnerabilities in file(1) and libmagic(3)Problem Description:A specifically crafted Composite Document File (CDF) file can trigger an out-of-bounds read or an invalid pointer dereference. [CVE-2012-1571] A flaw in regular expression in the awk script detector makes use of multiple wildcards with unlimited repetitions. [CVE-2013-7345] A malicious input file could trigger infinite recursion in libmagic(3). [CVE-2014-1943] A specifically crafted Portable Executable (PE) can trigger out-of-bounds read. [CVE-2014-2270] Impact:An attacker who can cause file(1) or any other applications using the libmagic(3) library to be run on a maliciously constructed input can the application to crash or consume excessive CPU resources, resulting in a denial-of-service. Discovery 2014-06-24 Entry 2016-08-11 FreeBSD ge 10.0 lt 10.0_6 ge 9.2 lt 9.2_9 ge 9.1 lt 9.1_16 ge 8.4 lt 8.4_13 CVE-2012-1571 CVE-2013-7345 CVE-2014-1943 CVE-2014-2270 SA-14:16.file |
7229d900-88af-11d8-90d1-0020ed76ef5a | mksnap_ffs clears file system options The kernel interface for creating a snapshot of a filesystem is the same as that for changing the flags on that filesystem. Due to an oversight, the mksnap_ffs(8) command called that interface with only the snapshot flag set, causing all other flags to be reset to the default value. A regularly scheduled backup of a live filesystem, or any other process that uses the mksnap_ffs command (for instance, to provide a rough undelete functionality on a file server), will clear any flags in effect on the filesystem being snapshot. Possible consequences depend on local usage, but can include disabling extended access control lists or enabling the use of setuid executables stored on an untrusted filesystem. The mksnap_ffs command is normally only available to the superuser and members of the `operator' group. There is therefore no risk of a user gaining elevated privileges directly through use of the mksnap_ffs command unless it has been intentionally made available to unprivileged users. Discovery 2004-01-30 Entry 2004-04-07 Modified 2004-05-05 FreeBSD ge 5.2 lt 5.2_1 ge 5.1 lt 5.1_12 CVE-2004-0099 SA-04:01.mksnap_ffs |
7257b26f-0597-11da-86bc-000e0c2e438a | devfs -- ruleset bypassProblem descriptionDue to insufficient parameter checking of the node type during device creation, any user can expose hidden device nodes on devfs mounted file systems within their jail. Device nodes will be created in the jail with their normal default access permissions. ImpactJailed processes can get access to restricted resources on the host system. For jailed processes running with superuser privileges this implies access to all devices on the system. This level of access can lead to information leakage and privilege escalation. Discovery 2005-07-20 Entry 2005-08-05 FreeBSD ge 5.4 lt 5.4_5 ge 5.* lt 5.3_19 CVE-2005-2218 SA-05:17.devfs |
726dd9bd-8f25-11da-8c1d-000e0c2e438a | ee -- temporary file privilege escalation Problem description The ispell_op function used by ee(1) while executing spell
check operations employs an insecure method of temporary file
generation. This method produces predictable file names based
on the process ID and fails to confirm which path will be over
written with the user. Impact These predictable temporary file names are problematic because they allow an attacker to take advantage of a race condition in order to execute a symlink attack, which could allow them to overwrite files on the system in the context of the user running the ee(1) editor. Workaround Instead of invoking ispell through ee(1), invoke it directly. Discovery 2006-01-11 Entry 2006-01-27 FreeBSD ge 6.0 lt 6.0_2 ge 5.4 lt 5.4_9 ge 5.3 lt 5.3_24 ge 4.11 lt 4.11_14 ge 4.10 lt 4.10_20 16207 CVE-2006-0055 SA-06:02.ee |
72ee7111-6007-11e6-a6c3-14dae9d210b8 | FreeBSD -- rtsold(8) remote buffer overflow vulnerabilityProblem Description:Due to a missing length check in the code that handles DNS parameters, a malformed router advertisement message can result in a stack buffer overflow in rtsold(8). Impact:Receipt of a router advertisement message with a malformed DNSSL option, for instance from a compromised host on the same network, can cause rtsold(8) to crash. While it is theoretically possible to inject code into rtsold(8) through malformed router advertisement messages, it is normally compiled with stack protection enabled, rendering such an attack extremely difficult. When rtsold(8) crashes, the existing DNS configuration will remain in force, and the kernel will continue to receive and process periodic router advertisements. Discovery 2014-10-21 Entry 2016-08-11 FreeBSD ge 10.0 lt 10.0_10 ge 9.3 lt 9.3_3 ge 9.2 lt 9.2_13 ge 9.1 lt 9.1_20 CVE-2014-3954 SA-14:20.rtsold |
731cdeaa-3564-11e5-9970-14dae9d210b8 | bind -- denial of service vulnerability ISC reports:
Discovery 2015-07-21 Entry 2015-07-28 Modified 2016-08-09 bind910 < 9.10.2P3 bind99 < 9.9.7P2 bind910-base bind99-base gt 0 FreeBSD ge 9.3 lt 9.3_21 ge 8.4 lt 8.4_35 SA-15:17.bind CVE-2015-5477 https://kb.isc.org/article/AA-01272/ |
734233f4-6007-11e6-a6c3-14dae9d210b8 | FreeBSD -- routed(8) remote denial of service vulnerabilityProblem Description:The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network. Impact:Upon receipt of a query from a source which is not on a directly connected network, routed(8) will trigger an assertion and terminate. The affected system's routing table will no longer be updated. If the affected system is a router, its routes will eventually expire from other routers' routing tables, and its networks will no longer be reachable unless they are also connected to another router. Discovery 2014-10-21 Entry 2016-08-11 FreeBSD ge 10.0 lt 10.0_10 ge 9.3 lt 9.3_3 ge 9.2 lt 9.2_13 ge 9.1 lt 9.1_20 ge 8.4 lt 8.4_17 CVE-2014-3955 SA-14:21.routed |
73e9a137-6007-11e6-a6c3-14dae9d210b8 | FreeBSD -- Denial of service attack against sshd(8)Problem Description:Although OpenSSH is not multithreaded, when OpenSSH is compiled with Kerberos support, the Heimdal libraries bring in the POSIX thread library as a dependency. Due to incorrect library ordering while linking sshd(8), symbols in the C library which are shadowed by the POSIX thread library may not be resolved correctly at run time. Note that this problem is specific to the FreeBSD build system and does not affect other operating systems or the version of OpenSSH available from the FreeBSD ports tree. Impact:An incorrectly linked sshd(8) child process may deadlock while handling an incoming connection. The connection may then time out or be interrupted by the client, leaving the deadlocked sshd(8) child process behind. Eventually, the sshd(8) parent process stops accepting new connections. An attacker may take advantage of this by repeatedly connecting and then dropping the connection after having begun, but not completed, the authentication process. Discovery 2014-11-04 Entry 2016-08-11 FreeBSD ge 10.0 lt 10.0_12 ge 9.2 lt 9.2_15 ge 9.1 lt 9.1_22 CVE-2014-8475 SA-14:24.sshd |
7488378d-6007-11e6-a6c3-14dae9d210b8 | FreeBSD -- Remote command execution in ftp(1)Problem Description:A malicious HTTP server could cause ftp(1) to execute arbitrary commands. Impact:When operating on HTTP URIs, the ftp(1) client follows HTTP redirects, and uses the part of the path after the last '/' from the last resource it accesses as the output filename if '-o' is not specified. If the output file name provided by the server begins with a pipe ('|'), the output is passed to popen(3), which might be used to execute arbitrary commands on the ftp(1) client machine. Discovery 2014-11-04 Entry 2016-08-11 FreeBSD ge 10.0 lt 10.0_12 ge 9.3 lt 9.3_5 ge 9.2 lt 9.2_15 ge 9.1 lt 9.1_22 ge 8.4 lt 8.4_19 CVE-2014-8517 SA-14:26.ftp |
74ded00e-6007-11e6-a6c3-14dae9d210b8 | FreeBSD -- Buffer overflow in stdioProblem Description:A programming error in the standard I/O library's __sflush() function could erroneously adjust the buffered stream's internal state even when no write actually occurred in the case when write(2) system call returns an error. Impact:The accounting mismatch would accumulate, if the caller does not check for stream status and will eventually lead to a heap buffer overflow. Such overflows may lead to data corruption or the execution of arbitrary code at the privilege level of the calling program. Discovery 2014-12-10 Entry 2016-08-11 FreeBSD ge 10.1 lt 10.1_1 CVE-2014-8611 SA-14:27.stdio |
759b8dfe-3972-11d9-a9e7-0001020eed82 | Overflow error in fetch An integer overflow condition in fetch(1) in the processing of HTTP headers can result in a buffer overflow. A malicious server or CGI script can respond to an HTTP or HTTPS request in such a manner as to cause arbitrary portions of the client's memory to be overwritten, allowing for arbitrary code execution. Discovery 2004-11-14 Entry 2004-11-18 FreeBSD ge 5.3 lt 5.3_1 ge 5.2.1 lt 5.2.1_12 ge 5.1 lt 5.1_18 ge 5.0 lt 5.0_22 ge 4.10 lt 4.10_4 ge 4.9 lt 4.9_13 ge 4.8 lt 4.8_26 < 4.7_28 SA-04:16.fetch CVE-2004-1053 11702 |
762b7d4a-ec19-11ea-88f8-901b0ef719ab | FreeBSD -- dhclient heap overflowProblem Description:When parsing option 119 data, dhclient(8) computes the uncompressed domain list length so that it can allocate an appropriately sized buffer to store the uncompressed list. The code to compute the length failed to handle certain malformed input, resulting in a heap overflow when the uncompressed list is copied into in inadequately sized buffer. Impact:The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit. However, it is possible the bug could be combined with other vulnerabilities to escape the sandbox. Discovery 2020-09-02 Entry 2020-09-02 FreeBSD ge 12.1 lt 12.1_9 ge 11.4 lt 11.4_3 ge 11.3 lt 11.3_13 CVE-2020-7461 SA-20:26.dhclient |
768cfe70-ca40-11df-aade-0050568f000c | FreeBSD -- OPIE off-by-one stack overflowProblem Description:A programming error in the OPIE library could allow an off-by-one buffer overflow to write a single zero byte beyond the end of an on-stack buffer. Discovery 2010-05-27 Entry 2010-10-24 Modified 2016-08-09 FreeBSD ge 6.4 lt 6.4_10 ge 7.1 lt 7.1_12 ge 7.2 lt 7.2_8 ge 7.3 lt 7.3_1 ge 8.0 lt 8.0_3 SA-10:05.opie |
7943e521-f648-11e2-8607-3c970e169bc2 | bind -- denial of service vulnerability ISC reports:
Discovery 2013-07-26 Entry 2013-07-26 Modified 2016-08-09 bind99 gt 9.9.3 lt 9.9.3.2 bind99-base gt 9.9.3 lt 9.9.3.2 bind98 gt 9.8.5 lt 9.8.5.2 bind98-base gt 9.8.5 lt 9.8.5.2 FreeBSD ge 9.0 lt 9.1_5 ge 8.4 lt 8.4_2 CVE-2013-4854 SA-13:07.bind https://kb.isc.org/article/AA-01015/0 |
7a09a8df-ca41-11df-aade-0050568f000c | FreeBSD -- Lost mbuf flag resulting in data corruptionProblem Description:The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile(2) system call is used to transmit data over the loopback interface, this can result in the backing pages for the transmitted file being modified, causing data corruption. Discovery 2010-07-13 Entry 2010-10-24 Modified 2016-08-09 FreeBSD ge 7.1 lt 7.1_13 ge 7.3 lt 7.3_2 ge 8.0 lt 8.0_4 SA-10:07.mbuf |
7a31dfba-600a-11e6-a6c3-14dae9d210b8 | FreeBSD -- Insecure default snmpd.config permissionsProblem Description:The SNMP protocol supports an authentication model called USM, which relies on a shared secret. The default permission of the snmpd configuration file, /etc/snmpd.config, is weak and does not provide adequate protection against local unprivileged users. Impact:A local user may be able to read the shared secret, if configured and used by the system administrator. Discovery 2016-01-14 Entry 2016-08-11 FreeBSD ge 10.2 lt 10.2_9 ge 10.1 lt 10.1_26 ge 9.3 lt 9.3_33 CVE-2015-5677 SA-16:06.bsnmpd |
7a4f2aca-9d40-11da-8c1d-000e0c2e438a | FreeBSD -- Local kernel memory disclosure Problem description: A buffer allocated from the kernel stack may not be completely initialized before being copied to userland. [CVE-2006-0379] A logic error in computing a buffer length may allow too much data to be copied into userland. [CVE-2006-0380] Impact: Portions of kernel memory may be disclosed to local users. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. Workaround: No workaround is available. Discovery 2006-01-25 Entry 2006-02-14 Modified 2016-08-09 FreeBSD ge 6.0 lt 6.0_4 CVE-2006-0379 CVE-2006-0380 SA-06:06.kmem |
7b1a4a27-600a-11e6-a6c3-14dae9d210b8 | FreeBSD -- Multiple OpenSSL vulnerabilitiesProblem Description:A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP3) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN. [CVE-2016-0800] A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources. This scenario is considered rare. [CVE-2016-0705] The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. [CVE-2016-0798] In the BN_hex2bn function, the number of hex digits is calculated using an int value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values of |i| this can result in |bn_expand| not allocating any memory because |i * 4| is negative. This can leave the internal BIGNUM data field as NULL leading to a subsequent NULL pointer dereference. For very large values of |i|, the calculation |i * 4| could be a positive value smaller than |i|. In this case memory is allocated to the internal BIGNUM data field, but it is insufficiently sized leading to heap corruption. A similar issue exists in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with very large untrusted hex/dec data. This is anticipated to be a rare occurrence. [CVE-2016-0797] The internal |fmtstr| function used in processing a "%s" formatted string in the BIO_*printf functions could overflow while calculating the length of a string and cause an out-of-bounds read when printing very long strings. [CVE-2016-0799] A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA keys. [CVE-2016-0702] s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they displace encrypted-key bytes. [CVE-2016-0703] s2_srvr.c overwrites the wrong bytes in the master key when applying Bleichenbacher protection for export cipher suites. [CVE-2016-0704] Impact:Servers that have SSLv2 protocol enabled are vulnerable to the "DROWN" attack which allows a remote attacker to fast attack many recorded TLS connections made to the server, even when the client did not make any SSLv2 connections themselves. An attacker who can supply malformed DSA private keys to OpenSSL applications may be able to cause memory corruption which would lead to a Denial of Service condition. [CVE-2016-0705] An attacker connecting with an invalid username can cause memory leak, which could eventually lead to a Denial of Service condition. [CVE-2016-0798] An attacker who can inject malformed data into an application may be able to cause memory corruption which would lead to a Denial of Service condition. [CVE-2016-0797, CVE-2016-0799] A local attacker who has control of code in a thread running on the same hyper-threaded core as the victim thread which is performing decryptions could recover RSA keys. [CVE-2016-0702] An eavesdropper who can intercept SSLv2 handshake can conduct an efficient divide-and-conquer key recovery attack and use the server as an oracle to determine the SSLv2 master-key, using only 16 connections to the server and negligible computation. [CVE-2016-0703] An attacker can use the Bleichenbacher oracle, which enables more efficient variant of the DROWN attack. [CVE-2016-0704] Discovery 2016-03-10 Entry 2016-08-11 FreeBSD ge 10.2 lt 10.2_13 ge 10.1 lt 10.1_30 ge 9.3 lt 9.3_38 CVE-2016-0702 CVE-2016-0703 CVE-2016-0704 CVE-2016-0705 CVE-2016-0797 CVE-2016-0798 CVE-2016-0799 CVE-2016-0800 SA-16:12.openssl |
7c63775e-be31-11e5-b5fe-002590263bf5 | libarchive -- multiple vulnerabilities MITRE reports:
Libarchive issue tracker reports:
Discovery 2012-12-06 Entry 2016-01-18 Modified 2016-08-09 libarchive < 3.1.2_5,1 FreeBSD ge 10.3 lt 10.3_4 ge 10.2 lt 10.2_18 ge 10.1 lt 10.1_35 ge 9.3 lt 9.3_43 CVE-2013-0211 CVE-2015-2304 ports/200176 SA-16:22.libarchive SA-16:23.libarchive https://github.com/libarchive/libarchive/pull/110 https://github.com/libarchive/libarchive/commit/5935715 https://github.com/libarchive/libarchive/commit/2253154 https://github.com/libarchive/libarchive/issues/502 https://github.com/libarchive/libarchive/commit/3865cf2 https://github.com/libarchive/libarchive/commit/e6c9668 https://github.com/libarchive/libarchive/commit/24f5de6 |
7ccd4def-c1be-11e3-9d09-000c2980a9f3 | OpenSSL -- Local Information Disclosure OpenSSL reports:
Discovery 2014-04-07 Entry 2014-04-11 openssl ge 1.0.1 lt 1.0.1_10 mingw32-openssl ge 1.0.1 lt 1.0.1g FreeBSD ge 8.3 lt 8.3_15 ge 8.4 lt 8.4_8 ge 9.1 lt 9.1_11 ge 9.2 lt 9.2_4 ge 10.0 lt 10.0_1 CVE-2014-0076 SA-14:06.openssl https://www.openssl.org/news/vulnerabilities.html#2014-0076 |
7cfcea05-600a-11e6-a6c3-14dae9d210b8 | FreeBSD -- Multiple ntp vulnerabilitiesProblem Description:Multiple vulnerabilities have been discovered in the NTP suite: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that could cause ntpd to crash. [CVE-2016-4957, Reported by Nicolas Edet of Cisco] An attacker who knows the origin timestamp and can send a spoofed packet containing a CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association. [CVE-2016-4953, Reported by Miroslav Lichvar of Red Hat] An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set. [CVE-2016-4954, Reported by Jakub Prokes of Red Hat] An attacker who is able to spoof a packet with a correct origin timestamp before the expected response packet arrives at the target machine can send a CRYPTO_NAK or a bad MAC and cause the association's peer variables to be cleared. If this can be done often enough, it will prevent that association from working. [CVE-2016-4955, Reported by Miroslav Lichvar of Red Hat] The fix for NtpBug2978 does not cover broadcast associations, so broadcast clients can be triggered to flip into interleave mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red Hat.] Impact:Malicious remote attackers may be able to break time synchronization, or cause the ntpd(8) daemon to crash. Discovery 2016-06-04 Entry 2016-08-11 FreeBSD ge 10.3 lt 10.3_5 ge 10.2 lt 10.2_19 ge 10.1 lt 10.1_36 ge 9.3 lt 9.3_44 CVE-2016-4953 CVE-2016-4954 CVE-2016-4955 CVE-2016-4956 CVE-2016-4957 SA-16:24.ntp |
7d4f4955-600a-11e6-a6c3-14dae9d210b8 | FreeBSD -- Heap vulnerability in bspatchProblem Description:The implementation of bspatch does not check for a negative value on numbers of bytes read from the diff and extra streams, allowing an attacker who can control the patch file to write at arbitrary locations in the heap. This issue was first discovered by The Chromium Project and reported independently by Lu Tung-Pin to the FreeBSD project. Impact:An attacker who can control the patch file can cause a crash or run arbitrary code under the credentials of the user who runs bspatch, in many cases, root. Discovery 2016-07-25 Entry 2016-08-11 FreeBSD ge 10.3 lt 10.3_6 ge 10.2 lt 10.2_20 ge 10.1 lt 10.1_37 ge 9.3 lt 9.3_45 CVE-2014-9862 SA-16:25.bspatch |
7dbb7197-7b68-11dd-80ba-000bcdf0a03b | FreeBSD -- nmount(2) local arbitrary code executionProblem Description:Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount(2) into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient bounds checking. Impact:If the system is configured to allow unprivileged users to mount file systems, it is possible for a local adversary to exploit this vulnerability and execute code in the context of the kernel. Workaround:It is possible to work around this issue by allowing only privileged users to mount file systems by running the following sysctl(8) command: # sysctl vfs.usermount=0 Discovery 2008-09-03 Entry 2008-09-05 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_4 ge 7.0 lt 7.0_4 CVE-2008-3531 SA-08:08.nmount |
7e53f9cc-656d-11e9-8e67-206a8a720317 | FreeBSD -- SAE side-channel attacksProblem Description:Side channel attacks in the SAE implementations used by both hostapd (AP) and wpa_supplicant (infrastructure BSS station/mesh station). SAE (Simultaneous Authentication of Equals) is also known as WPA3-Personal. The discovered side channel attacks may be able to leak information about the used password based on observable timing differences and cache access patterns. This might result in full password recovery when combined with an offline dictionary attack and if the password is not strong enough to protect against dictionary attacks. See https://w1.fi/security/2019-1/sae-side-channel-attacks.txt for a detailed description of the bug. Impact:All wpa_supplicant and hostapd versions with SAE support (CONFIG_SAE=y in the build configuration and SAE being enabled in the runtime configuration). Discovery 2019-04-10 Entry 2019-04-23 FreeBSD ge 12.0 lt 12.0_3 ge 11.2 lt 11.2_9 wpa_supplicant < 2.8 hostapd < 2.8 CVE-2019-9494 |
8305e215-1080-11e5-8ba2-000c2980a9f3 | openssl -- multiple vulnerabilities The OpenSSL team reports:
Discovery 2015-06-11 Entry 2015-06-11 Modified 2016-08-09 openssl < 1.0.2_2 mingw32-openssl ge 1.0.1 lt 1.0.2b linux-c6-openssl < 1.0.1e_6 libressl < 2.1.7 FreeBSD ge 10.1 lt 10.1_12 ge 9.3 lt 9.3_16 ge 8.4 lt 8.4_30 CVE-2014-8176 CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-4000 SA-15:10.openssl https://www.openssl.org/news/secadv_20150611.txt |
83725c91-7c7e-11de-9672-00e0815b8da8 | BIND -- Dynamic update message remote DoSProblem Description:When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit. To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server. Impact:An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. Workaround:No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver. NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. Discovery 2009-07-28 Entry 2009-08-01 Modified 2009-08-04 bind9 < 9.3.6.1.1 bind9-sdb-postgresql bind9-sdb-ldap < 9.4.3.3 FreeBSD ge 6.3 lt 6.3_12 ge 6.4 lt 6.4_6 ge 7.1 lt 7.1_7 ge 7.2 lt 7.2_3 CVE-2009-0696 SA-09:12.bind http://www.kb.cert.org/vuls/id/725188 https://www.isc.org/node/474 |
837b9fb2-0595-11da-86bc-000e0c2e438a | zlib -- buffer overflow vulnerabilityProblem descriptionA fixed-size buffer is used in the decompression of data streams. Due to erronous analysis performed when zlib was written, this buffer, which was belived to be sufficiently large to handle any possible input stream, is in fact too small. ImpactA carefully constructed compressed data stream can result in zlib overwriting some data structures. This may cause applications to halt, resulting in a denial of service; or it may result in an attacker gaining elevated privileges. Discovery 2005-07-27 Entry 2005-08-05 Modified 2005-09-24 linux_base-suse < 9.3_1 FreeBSD ge 5.4 lt 5.4_6 ge 5.3 lt 5.3_20 CVE-2005-1849 SA-05:18.zlib |
87261557-a450-11e2-9898-001060e06fd4 | FreeBSD -- Network ACL mishandling in mountd(8)
Discovery 2011-04-20 Entry 2012-01-29 FreeBSD ge 7.3 lt 7.3_5 ge 7.4 lt 7.4_1 ge 8.1 lt 8.1_3 ge 8.2 lt 8.2_1 SA-11:01.mountd CVE-2011-1739 |
8aff07eb-1dbd-11e4-b6ba-3c970e169bc2 | OpenSSL -- multiple vulnerabilities The OpenSSL Project reports:
Discovery 2014-08-06 Entry 2014-08-06 Modified 2016-08-09 openssl ge 1.0.1 lt 1.0.1_14 mingw32-openssl ge 1.0.1 lt 1.0.1i FreeBSD ge 8.4 lt 8.4_15 ge 9.1 lt 9.1_18 ge 9.2 lt 9.2_11 ge 9.3 lt 9.3_1 ge 10.0 lt 10.0_8 https://www.openssl.org/news/secadv_20140806.txt SA-14:18.openssl CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3508 CVE-2014-3509 CVE-2014-3510 CVE-2014-3511 CVE-2014-3512 CVE-2014-5139 |
8e01ab5b-0949-11dc-8163-000e0c2e438a | FreeBSD -- heap overflow in file(1)Problem Description:When writing data into a buffer in the file_printf function, the length of the unused portion of the buffer is not correctly tracked, resulting in a buffer overflow when processing certain files. Impact:An attacker who can cause file(1) to be run on a maliciously constructed input can cause file(1) to crash. It may be possible for such an attacker to execute arbitrary code with the privileges of the user running file(1). The above also applies to any other applications using the libmagic(3) library. Workaround:No workaround is available, but systems where file(1) and other libmagic(3)-using applications are never run on untrusted input are not vulnerable. Discovery 2007-05-23 Entry 2007-05-23 Modified 2016-08-09 file < 4.21 FreeBSD ge 6.2 lt 6.2_5 ge 6.1 lt 6.1_17 ge 5.5 lt 5.5_13 CVE-2007-1536 SA-07:04.file |
8eaaf135-1893-11ed-9b22-002590c1f29c | FreeBSD -- Missing bounds check in 9p message handlingProblem Description:The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory. Impact:The bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox. Discovery 2022-08-09 Entry 2022-08-10 FreeBSD ge 13.1 lt 13.1_1 ge 13.0 lt 13.0_12 CVE-2022-23092 SA-22:12.lib9p |
8ecaaca2-cc07-11d8-858d-000d610a3b12 | Linux binary compatibility mode input validation error A programming error in the handling of some Linux system calls may result in memory locations being accessed without proper validation. It may be possible for a local attacker to read and/or overwrite portions of kernel memory, resulting in disclosure of sensitive information or potential privilege escalation. A local attacker can cause a system panic. Discovery 2004-06-18 Entry 2004-06-30 FreeBSD ge 4.9 lt 4.9_10 ge 4.8 lt 4.8_23 CVE-2004-0602 SA-04:13.linux |
8efe93e2-ee62-11d9-8310-0001020eed82 | zlib -- buffer overflow vulnerabilityProblem DescriptionAn error in the handling of corrupt compressed data streams can result in a buffer being overflowed. ImpactBy carefully crafting a corrupt compressed data stream, an attacker can overwrite data structures in a zlib-using application. This may cause the application to halt, causing a denial of service; or it may result in the attacker gaining elevated privileges. Discovery 2005-07-06 Entry 2005-07-06 Modified 2005-10-01 zsync < 0.4.1 FreeBSD ge 5.4 lt 5.4_4 ge 5.3 lt 5.3_18 CVE-2005-2096 SA-05:16.zlib |
9082a85a-88ae-11d8-90d1-0020ed76ef5a | jailed processes can attach to other jails A programming error has been found in the jail_attach(2) system call which affects the way that system call verifies the privilege level of the calling process. Instead of failing immediately if the calling process was already jailed, the jail_attach system call would fail only after changing the calling process's root directory. A process with superuser privileges inside a jail could change its root directory to that of a different jail, and thus gain full read and write access to files and directories within the target jail. Discovery 2004-02-19 Entry 2004-04-07 Modified 2004-05-05 FreeBSD ge 5.1 lt 5.1_14 ge 5.2 lt 5.2.1 CVE-2004-0126 SA-04:03.jail |
90cc1494-10ac-11e1-b3ec-0024e830109b | BIND -- Remote DOS The Internet Systems Consortium reports:
Discovery 2011-11-16 Entry 2011-11-16 Modified 2012-01-29 FreeBSD ge 7.3 lt 7.3_9 ge 7.4 lt 7.4_5 ge 8.1 lt 8.1_7 ge 8.2 lt 8.2_5 bind96 < 9.6.3.1.ESV.R5.1 bind97 < 9.7.4.1 bind98 < 9.8.1.1 SA-11:06.bind CVE-2011-4313 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313 https://www.isc.org/software/bind/advisories/cve-2011-4313 |
90d2e58f-b25a-11de-8c83-02e0185f8d72 | FreeBSD -- kqueue pipe race conditionsProblem DescriptionA race condition exists in the pipe close() code relating to kqueues, causing use-after-free for kernel memory, which may lead to an exploitable NULL pointer vulnerability in the kernel, kernel memory corruption, and other unpredictable results. Impact:Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code on the target system. WorkaroundAn errata notice, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available. Discovery 2009-10-02 Entry 2009-10-06 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.4_7 ge 6.4 lt 6.3_13 SA-09:13.pipe |
91a337d8-83ed-11e6-bf52-b499baebfeaf | OpenSSL -- multiple vulnerabilities OpenSSL reports:
Discovery 2016-09-26 Entry 2016-09-26 Modified 2016-10-10 openssl < 1.0.2j,1 openssl-devel < 1.1.0b libressl < 2.4.3 libressl-devel < 2.4.3 FreeBSD ge 11.0 lt 11.0_1 https://www.openssl.org/news/secadv/20160926.txt CVE-2016-6309 CVE-2016-7052 SA-16:27.openssl |
9442a811-dab3-11e7-b5af-a4badb2f4699 | FreeBSD -- OpenSSL multiple vulnerabilitiesProblem Description:If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. [CVE-2017-3735] There is a carry propagating bug in the x86_64 Montgomery squaring procedure. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. [CVE-2017-3736] This bug only affects FreeBSD 11.x. Impact:Application using OpenSSL may display erroneous certificate in text format. [CVE-2017-3735] Mishandling of carry propagation will produce incorrect output, and make it easier for a remote attacker to obtain sensitive private-key information. No EC algorithms are affected, analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. [CVE-2017-3736] Discovery 2017-11-29 Entry 2017-12-06 FreeBSD ge 11.1 lt 11.1_5 ge 11.0 lt 11.0_16 ge 10.4 lt 10.4_4 ge 10.3 lt 10.3_25 CVE-2017-3735 CVE-2017-3736 SA-17:11.openssl |
9575259a-92d5-11e4-bce6-d050992ecde8 | file -- multiple vulnerabilities RedHat reports:
Discovery 2014-12-16 Entry 2015-01-02 file < 5.21 FreeBSD ge 8.4 lt 8.4_20 ge 9.1 lt 9.1_23 ge 9.2 lt 9.2_16 ge 9.3 lt 9.3_6 ge 10.0 lt 10.0_13 ge 10.1 lt 10.1_1 CVE-2014-3710 CVE-2014-8116 CVE-2014-8117 SA-14:28.file http://seclists.org/oss-sec/2014/q4/1056 |
96811d4a-04ec-11ec-9b84-d4c9ef517024 | OpenSSL -- multiple vulnerabilities The OpenSSL project reports:
Discovery 2021-08-24 Entry 2021-08-24 Modified 2021-08-25 openssl < 1.1.1l,1 openssl-devel < 3.0.0.b3 FreeBSD ge 13.0 lt 13.0_4 ge 12.2 lt 12.2_10 CVE-2021-3711 CVE-2021-3712 https://www.openssl.org/news/secadv/20210824.txt SA-21:16.openssl |
96a21236-707b-11eb-96d8-d4c9ef517024 | OpenSSL -- Multiple vulnerabilities The OpenSSL project reports:
Discovery 2021-02-16 Entry 2021-02-16 Modified 2021-08-25 openssl < 1.1.1j,1 openssl-devel < 3.0.0.a12 FreeBSD ge 12.2 lt 12.2_10 ge 11.4 lt 11.4_13 https://www.openssl.org/news/secadv/20210216.txt CVE-2021-23841 CVE-2021-23840 CVE-2021-23839 SA-21:17.openssl |
96ba2dae-4ab0-11d8-96f2-0020ed76ef5a | L2TP, ISAKMP, and RADIUS parsing vulnerabilities in tcpdump Jonathan Heusser discovered vulnerabilities in tcpdump's L2TP, ISAKMP, and RADIUS protocol handlers. These vulnerabilities may be used by an attacker to crash a running `tcpdump' process. Discovery 2003-12-24 Entry 2004-01-19 tcpdump < 3.8.1_351 FreeBSD < 5.2.1 CVE-2003-0989 CVE-2003-1029 CVE-2004-0057 http://www.tcpdump.org/lists/workers/2003/12/msg00083.html http://marc.theaimsgroup.com/?l=tcpdump-workers&m=107325073018070&w=2 |
97f09f2f-ca3f-11df-aade-0050568f000c | FreeBSD -- ZFS ZIL playback with insecure permissionsProblem Description:When replaying setattr transaction, the replay code would set the attributes with certain insecure defaults, when the logged transaction did not touch these attributes. Discovery 2010-01-06 Entry 2010-10-24 Modified 2016-08-09 FreeBSD ge 7.1 lt 7.1_10 ge 7.2 lt 7.2_6 ge 8.0 lt 8.0_2 SA-10:03.zfs |
98b71436-656d-11e9-8e67-206a8a720317 | FreeBSD -- SAE confirm missing state validationProblem Description:When hostapd is used to operate an access point with SAE (Simultaneous Authentication of Equals; also known as WPA3-Personal), an invalid authentication sequence could result in the hostapd process terminating due to a NULL pointer dereference when processing SAE confirm message. This was caused by missing state validation steps when processing the SAE confirm message in hostapd/AP mode. See https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt for a detailed description of the bug. Impact:All hostapd versions with SAE support (CONFIG_SAE=y in the build configuration and SAE being enabled in the runtime configuration). Discovery 2019-04-10 Entry 2019-04-23 FreeBSD ge 12.0 lt 12.0_3 ge 11.2 lt 11.2_9 wpa_supplicant < 2.8 hostapd < 2.8 CVE-2019-9496 |
9d15355b-ce7c-11e4-9db0-d050992ecde8 | OpenSSL -- multiple vulnerabilities OpenSSL project reports:
Discovery 2015-03-19 Entry 2015-03-19 Modified 2016-08-09 openssl ge 1.0.1 lt 1.0.1_19 mingw32-openssl ge 1.0.1 lt 1.0.1m linux-c6-openssl < 1.0.1e_4 libressl le 2.1.5_1 FreeBSD ge 10.1 lt 10.1_8 ge 9.3 lt 9.3_12 ge 8.4 lt 8.4_26 SA-15:06.openssl ports/198681 CVE-2015-0204 CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0292 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288 https://www.openssl.org/news/secadv_20150319.txt |
9f7a0f39-ddc0-11e7-b5af-a4badb2f4699 | FreeBSD -- OpenSSL multiple vulnerabilitiesProblem Description:Invoking SSL_read()/SSL_write() while in an error state causes data to be passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. [CVE-2017-3737] There is an overflow bug in the x86_64 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). [CVE-2017-3738] This bug only affects FreeBSD 11.x. Impact:Applications with incorrect error handling may inappropriately pass unencrypted data. [CVE-2017-3737] Mishandling of carry propagation will produce incorrect output, and make it easier for a remote attacker to obtain sensitive private-key information. No EC algorithms are affected and analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. [CVE-2017-3738] Discovery 2017-12-09 Entry 2017-12-10 FreeBSD ge 11.1 lt 11.1_6 ge 10.4 lt 10.4_5 ge 10.3 lt 10.3_26 CVE-2016-0701 CVE-2017-3737 CVE-2017-3738 SA-17:12.openssl |
9fae0f1f-df82-11d9-b875-0001020eed82 | tcpdump -- infinite loops in protocol decodingProblem DescriptionSeveral tcpdump protocol decoders contain programming errors which can cause them to go into infinite loops. ImpactAn attacker can inject specially crafted packets into the network which, when processed by tcpdump, could lead to a denial-of-service. After the attack, tcpdump would no longer capture traffic, and would potentially use all available processor time. Discovery 2005-06-09 Entry 2005-06-18 Modified 2005-06-20 FreeBSD ge 5.4 lt 5.4_2 ge 5.3 lt 5.3_16 tcpdump < 3.8.3_2 CVE-2005-1278 CVE-2005-1267 CVE-2005-1279 CVE-2005-1280 SA-05:10.tcpdump http://marc.theaimsgroup.com/?l=bugtraq&m=111454406222040 http://marc.theaimsgroup.com/?l=bugtraq&m=111454461300644 http://marc.theaimsgroup.com/?l=bugtraq&m=111928309502304 |
a1323a76-28f1-11ed-a72a-002590c1f29c | FreeBSD -- zlib heap buffer overflowProblem Description:zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. Impact:Applications that call inflateGetHeader may be vulnerable to a buffer overflow. Note that inflateGetHeader is not used by anything in the FreeBSD base system, but may be used by third party software. Discovery 2022-08-30 Entry 2022-08-31 FreeBSD ge 13.1 lt 13.1_2 ge 13.0 lt 13.0_13 ge 12.3 lt 12.3_7 CVE-2022-37434 SA-22:13.zlib |
a207bbd8-6572-11e9-8e67-206a8a720317 | FreeBSD -- EAP-pwd message reassembly issue with unexpected fragmentProblem Description:EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) does not to validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to NULL pointer dereference. See https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt for a detailed description of the bug. Impact:All wpa_supplicant and hostapd versions with EAP-pwd support could suffer a denial of service attack through process termination. Discovery 2019-04-18 Entry 2019-04-23 FreeBSD ge 12.0 lt 12.0_3 ge 11.2 lt 11.2_9 wpa_supplicant < 2.8 hostapd < 2.8 https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt |
a2cb7c31-9c79-11ea-a9c2-d05099c0ae8c | unbound -- mutliple vulnerabilities NLNetLabs reports:
Discovery 2020-05-19 Entry 2020-05-22 Modified 2020-07-10 unbound < 1.10.1 FreeBSD ge 12.1 lt 12.1_7 ge 11.4 lt 11.4_1 ge 11.3 lt 11.3_11 SA-20:19.unbound https://lists.nlnetlabs.nl/pipermail/unbound-users/2020-May/006833.html CVE-2020-12662 CVE-2020-12663 |
a6d5d4c1-0564-11ec-b69d-4062311215d5 | FreeBSD -- Missing error handling in bhyve(8) device modelsProblem Description:Certain VirtIO-based device models failed to handle errors when fetching I/O descriptors. Such errors could be triggered by a malicious guest. As a result, the device model code could be tricked into operating on uninitialized I/O vectors, leading to memory corruption. Impact:A malicious guest may be able to crash the bhyve process. It may be possible to exploit the memory corruption bugs to achieve arbitrary code execution in the bhyve process. Discovery 2021-08-24 Entry 2021-08-25 FreeBSD ge 13.0 lt 13.0_4 ge 12.2 lt 12.2_10 ge 11.4 lt 11.4_13 CVE-2021-29631 SA-21:13.bhyve |
a8654f1d-770d-11eb-b87a-901b0ef719ab | FreeBSD -- login.access fails to apply rulesProblem Description:A regression in the login.access(5) rule processor has the effect of causing rules to fail to match even when they should not. This means that rules denying access may be ignored. Impact:The configuration in login.access(5) may not be applied, permitting login access to users even when the system is configured to deny it. Discovery 2021-02-24 Entry 2021-02-25 FreeBSD ge 12.2 lt 12.2_4 ge 11.4 lt 11.4_8 CVE-2020-25580 SA-21:03.pam_login_access |
a8ec4db7-a398-11e5-85e9-14dae9d210b8 | bind -- multiple vulnerabilities ISC reports:
Discovery 2015-11-24 Entry 2015-12-16 Modified 2016-08-09 bind99 < 9.9.8P2 bind910 < 9.10.3P2 bind9-devel < 9.11.0.a20151215 FreeBSD ge 9.3 lt 9.3_32 https://kb.isc.org/article/AA-01328/0/BIND-9.10.3-P2-Release-Notes.html https://kb.isc.org/article/AA-01317/0/CVE-2015-8000%3A-Responses-with-a-malformed-class-attribute-can-trigger-an-assertion-failure-in-db.c.html https://kb.isc.org/article/AA-01319/0/CVE-2015-8461%3A-A-race-condition-when-handling-socket-errors-can-lead-to-an-assertion-failure-in-resolver.c.html CVE-2015-3193 CVE-2015-8000 CVE-2015-8461 SA-15:27.bind |
ab3e98d9-8175-11e4-907d-d050992ecde8 | bind -- denial of service vulnerability ISC reports:
Discovery 2014-12-08 Entry 2014-12-11 Modified 2016-08-09 bind99 bind99-base < 9.9.6 bind98 bind98-base bind96 bind96-base gt 0 FreeBSD ge 9.3 lt 9.3_6 ge 9.2 lt 9.2_16 ge 9.1 lt 9.1_23 ge 8.4 lt 8.4_20 SA-14:29.bind CVE-2014-8500 CVE-2014-8680 https://www.isc.org/blogs/important-security-advisory-posted/ |
abef280d-d829-11e2-b71c-8c705af55518 | FreeBSD -- Privilege escalation via mmap
Discovery 2013-06-18 Entry 2013-06-18 Modified 2016-08-09 FreeBSD ge 9.0 lt 9.1_4 CVE-2013-2171 SA-13:06.mmap |
ad08d14b-ca3d-11df-aade-0050568f000c | FreeBSD -- Improper environment sanitization in rtld(1)Problem Description:When running setuid programs rtld will normally remove potentially dangerous environment variables. Due to recent changes in FreeBSD environment variable handling code, a corrupt environment may result in attempts to unset environment variables failing. Discovery 2009-12-03 Entry 2010-10-24 Modified 2016-08-09 FreeBSD ge 7.1 lt 7.1_9 ge 7.2 lt 7.2_5 ge 8.0 lt 8.0_1 SA-09:16.rtld |
aed44c4e-c067-11e1-b5e0-000c299b62e1 | FreeBSD -- Privilege escalation when returning from kernel Problem description:
Discovery 2012-06-12 Entry 2012-06-27 FreeBSD ge 7.4 lt 7.4_9 ge 8.1 lt 8.1_12 ge 8.2 lt 8.2_9 ge 8.3 lt 8.3_3 ge 9.0 lt 9.0_3 SA-12:04.sysret CVE-2012-0217 |
af485ef4-1c58-11e8-8477-d05099c0ae8c | ntp -- multiple vulnerabilities Network Time Foundation reports:
Discovery 2018-02-27 Entry 2018-02-28 Modified 2018-03-14 FreeBSD ge 11.1 lt 11.1_7 ge 10.4 lt 10.4_6 ge 10.3 lt 10.3_27 ntp < 4.2.8p11 ntp-devel gt 0 CVE-2016-1549 CVE-2018-7182 CVE-2018-7170 CVE-2018-7184 CVE-2018-7185 CVE-2018-7183 SA-18:02.ntp http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S |
b1b6d623-83e4-11ec-90de-1c697aa5a594 | FreeBSD -- vt console buffer overflowProblem Description:Under certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory. Impact:Users with access to the system console may be able to cause system misbehaviour. Discovery 2022-01-11 Entry 2022-02-02 FreeBSD ge 13.0 lt 13.0_6 ge 12.2 lt 12.2_12 CVE-2021-29632 SA-22:01.vt |
b2487d9a-0c30-11e6-acd0-d050996490d0 | ntp -- multiple vulnerabilities Network Time Foundation reports:
Discovery 2016-04-26 Entry 2016-04-27 Modified 2016-08-09 ntp < 4.2.8p7 ntp-devel < 4.3.92 FreeBSD ge 10.3 lt 10.3_1 ge 10.2 lt 10.2_15 ge 10.1 lt 10.1_32 ge 9.3 lt 9.3_40 SA-16:16.ntp CVE-2015-7704 CVE-2015-8138 CVE-2016-1547 CVE-2016-1548 CVE-2016-1549 CVE-2016-1550 CVE-2016-1551 CVE-2016-2516 CVE-2016-2517 CVE-2016-2518 CVE-2016-2519 http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security |
b4578647-c12b-11e5-96d6-14dae9d210b8 | bind -- denial of service vulnerability ISC reports:
Discovery 2016-01-19 Entry 2016-01-22 Modified 2016-08-09 bind99 < 9.9.8P3 bind910 < 9.10.3P3 FreeBSD ge 9.3 lt 9.3_35 https://kb.isc.org/article/AA-01335 CVE-2015-8704 SA-16:08.bind |
b72bad1c-20ed-11e3-be06-000c29ee3065 | FreeBSD -- Cross-mount links between nullfs(5) mounts Problem Description: The nullfs(5) implementation of the VOP_LINK(9) VFS operation does not check whether the source and target of the link are both in the same nullfs instance. It is therefore possible to create a hardlink from a location in one nullfs instance to a file in another, as long as the underlying (source) filesystem is the same. Impact: If multiple nullfs views into the same filesystem are mounted in different locations, a user with read access to one of these views and write access to another will be able to create a hard link from the latter to a file in the former, even though they are, from the user's perspective, different filesystems. The user may thereby gain write access to files which are nominally on a read-only filesystem. Discovery 2013-09-10 Entry 2013-09-19 Modified 2016-08-09 FreeBSD ge 9.1 lt 9.1_7 ge 8.4 lt 8.4_4 ge 8.3 lt 8.3_11 CVE-2013-5710 SA-13:13.nullfs |
bfb36941-84fa-11d8-a41f-0020ed76ef5a | Incorrect cross-realm trust handling in Heimdal Heimdal does not correctly validate the `transited' field of Kerberos tickets when computing the authentication path. This could allow a rogue KDC with which cross-realm relationships have been established to impersonate any KDC in the authentication path. Discovery 2004-04-01 Entry 2004-04-02 Modified 2004-05-05 heimdal < 0.6.1 FreeBSD ge 5.0 lt 5.2_6 ge 4.9 lt 4.9_6 ge 4.0 lt 4.8_19 CVE-2004-0371 SA-04:08.heimdal http://www.pdc.kth.se/heimdal/advisory/2004-04-01/ |
c01a25f5-8f20-11da-8c1d-000e0c2e438a | texindex -- temporary file privilege escalation Problem description The "sort_offline" function used by texindex(1) employs the "maketempname" function, which produces predictable file names and fails to validate that the paths do not exist. Impact These predictable temporary file names are problematic because they allow an attacker to take advantage of a race condition in order to execute a symlink attack, which could enable them to overwrite files on the system in the context of the user running the texindex(1) utility. Workaround No workaround is available, but the problematic code is only executed if the input file being processed is 500kB or more in length; as a result, users working with documents of less than several hundred pages are very unlikely to be affected. Discovery 2006-01-11 Entry 2006-01-27 FreeBSD ge 6.0 lt 6.0_2 ge 5.4 lt 5.4_9 ge 5.3 lt 5.3_24 ge 4.11 lt 4.11_14 ge 4.10 lt 4.10_20 14854 CAN-2005-3011 SA-06:01.texindex |
c2576e14-36e2-11e9-9eda-206a8a720317 | ntp -- Crafted null dereference attack from a trusted source with an authenticated mode 6 packet Network Time Foundation reports:
Discovery 2019-01-15 Entry 2019-03-07 Modified 2019-07-30 ntp < 4.2.8p13 FreeBSD ge 12.0 lt 12.0_2 ge 11.2 lt 11.2_8 http://bugs.ntp.org/3565 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8936 https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:M/C:N/I:N/A:C) https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H CVE-2019-8936 SA-19:04.ntp |
c4a18a12-77fc-11e5-a687-206a8a720317 | ntp -- 13 low- and medium-severity vulnerabilities ntp.org reports:
Discovery 2015-10-21 Entry 2015-10-21 Modified 2016-08-09 ntp < 4.2.8p4 ntp-devel < 4.3.76 FreeBSD ge 10.2 lt 10.2_7 ge 10.1 lt 10.1_24 ge 9.3 lt 9.3_30 SA-15:25.ntp CVE-2015-7691 CVE-2015-7692 CVE-2015-7701 CVE-2015-7702 CVE-2015-7703 CVE-2015-7704 CVE-2015-7705 CVE-2015-7848 CVE-2015-7849 CVE-2015-7850 CVE-2015-7851 CVE-2015-7852 CVE-2015-7853 CVE-2015-7854 CVE-2015-7855 CVE-2015-7871 http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities |
c4ac9c79-ab37-11ea-8b5e-b42e99a1b9c3 | several security issues in sqlite3 sqlite3 update: Various security issues could be used by an attacker to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code.
Discovery 2020-05-25 Entry 2020-06-10 Modified 2020-08-06 sqlite3 < 3.32.2,1 FreeBSD ge 12.1 lt 12.1_8 ge 11.4 lt 11.4_2 ge 11.3 lt 11.3_12 https://nvd.nist.gov/vuln/detail/CVE-2020-11655 CVE-2020-11655 https://nvd.nist.gov/vuln/detail/CVE-2020-13434 CVE-2020-13434 https://nvd.nist.gov/vuln/detail/CVE-2020-13435 CVE-2020-13435 https://nvd.nist.gov/vuln/detail/CVE-2020-13630 CVE-2020-13630 https://nvd.nist.gov/vuln/detail/CVE-2020-13631 CVE-2020-13631 https://nvd.nist.gov/vuln/detail/CVE-2020-13632 CVE-2020-13632 SA-20:22.sqlite |
c4b025bb-f05d-11d8-9837-000c41e2cdad | tnftpd -- remotely exploitable vulnerability lukemftpd(8) is an enhanced BSD FTP server produced within the NetBSD project. The sources for lukemftpd are shipped with some versions of FreeBSD, however it is not built or installed by default. The build system option WANT_LUKEMFTPD must be set to build and install lukemftpd. [NOTE: An exception is FreeBSD 4.7-RELEASE, wherein lukemftpd was installed, but not enabled, by default.] Przemyslaw Frasunek discovered several vulnerabilities in lukemftpd arising from races in the out-of-band signal handling code used to implement the ABOR command. As a result of these races, the internal state of the FTP server may be manipulated in unexpected ways. A remote attacker may be able to cause FTP commands to be executed with the privileges of the running lukemftpd process. This may be a low-privilege `ftp' user if the `-r' command line option is specified, or it may be superuser privileges if `-r' is *not* specified. Discovery 2004-08-17 Entry 2004-08-17 Modified 2016-08-11 tnftpd < 20040810 lukemftpd ge 0 FreeBSD le 4.7 CVE-2004-0794 10967 http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c#rev1.158 ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-009.txt.asc http://lists.netsys.com/pipermail/full-disclosure/2004-August/025418.html |
c5c17ead-8f23-11da-8c1d-000e0c2e438a | cvsbug -- race condition Problem description A temporary file is created, used, deleted, and then
re-created with the same name. This creates a window during
which an attacker could replace the file with a link to
another file. While cvsbug(1) is based on the send-pr(1)
utility, this problem does not exist in the version of
send-pr(1) distributed with FreeBSD. Impact A local attacker could cause data to be written to any file to which the user running cvsbug(1) (or send-pr(1) in FreeBSD 4.10 and 5.3) has write access. This may cause damage in itself (e.g., by destroying important system files or documents) or may be used to obtain elevated privileges. Workaround Do not use the cvsbug(1) utility on any system with untrusted
users. Discovery 2005-09-07 Entry 2006-01-27 Modified 2006-11-08 FreeBSD ge 5.4 lt 5.4_7 ge 5.3 lt 5.3_22 ge 4.11 lt 4.11_12 ge 4.10 lt 4.10_18 cvs+ipv6 < 1.11.17_1 CAN-2005-2693 SA-05:20.cvsbug |
c611be81-fbc2-11da-9156-000e0c2e438a | sendmail -- Incorrect multipart message handlingProblem DescriptionA suitably malformed multipart MIME message can cause sendmail to exceed predefined limits on its stack usage. ImpactAn attacker able to send mail to, or via, a server can cause queued messages on the system to not be delivered, by causing the sendmail process which handles queued messages to crash. Note that this will not stop new messages from entering the queue (either from local processes, or incoming via SMTP). WorkaroundNo workaround is available, but systems which do not receive email from untrusted sources are not vulnerable. Discovery 2006-06-14 Entry 2006-06-14 FreeBSD ge 4.11 lt 4.11_19 ge 5.3 lt 5.3_31 ge 5.4 lt 5.4_16 ge 5.5 lt 5.5_2 ge 6.0 lt 6.0_9 ge 6.1 lt 6.1_2 CVE-2006-1173 SA-06:17.sendmail |
c702944a-db0f-11dd-aa56-000bcdf0a03b | FreeBSD -- netgraph / bluetooth privilege escalationProblem Description:Some function pointers for netgraph and bluetooth sockets are not properly initialized. Impact:A local user can cause the FreeBSD kernel to execute arbitrary code. This could be used by an attacker directly; or it could be used to gain root privilege or to escape from a jail. Workaround:No workaround is available, but systems without local untrusted users are not vulnerable. Furthermore, systems are not vulnerable if they have neither the ng_socket nor ng_bluetooth kernel modules loaded or compiled into the kernel. Systems with the security.jail.socket_unixiproute_only sysctl set to 1 (the default) are only vulnerable if they have local untrusted users outside of jails. If the command
produces no output, the system is not vulnerable. Discovery 2008-12-23 Entry 2009-01-05 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_7 ge 6.4 lt 6.4_1 ge 7.0 lt 7.0_7 SA-08:13.protosw |
c8d902b1-8550-11e6-81e7-d050996490d0 | BIND -- Remote Denial of Service vulnerability ISC reports:
Discovery 2016-09-27 Entry 2016-09-28 Modified 2016-10-10 bind99 < 9.9.9P3 bind910 < 9.10.4P3 bind911 < 9.11.0.rc3 bind9-devel < 9.12.0.a.2016.09.10 FreeBSD ge 9.3 lt 9.3_48 CVE-2016-2776 SA-16:28.bind https://kb.isc.org/article/AA-01419 |
c9075321-f483-11e5-92ce-002590263bf5 | bind -- denial of service vulnerability ISC reports:
Discovery 2016-03-09 Entry 2016-03-28 Modified 2016-08-09 bind98 le 9.8.8 bind99 ge 9.9.0 lt 9.9.8P4 bind910 ge 9.10.0 lt 9.10.3P4 bind9-devel < 9.11.0.a20160309 FreeBSD ge 9.3 lt 9.3_38 CVE-2016-1285 SA-16:13.bind https://kb.isc.org/article/AA-01352 |
c93533a3-24f1-11e5-8b74-3c970e169bc2 | bind -- denial of service vulnerability ISC reports:
Discovery 2015-07-07 Entry 2015-07-07 Modified 2016-08-09 bind910 < 9.10.2P2 bind99 < 9.9.7P1 bind910-base bind99-base gt 0 FreeBSD ge 9.3 lt 9.3_19 ge 8.4 lt 8.4_33 SA-15:11.bind CVE-2015-4620 https://kb.isc.org/article/AA-01267/ |
c9d2e361-32fb-11db-a6e2-000e0c2e438a | sppp -- buffer overflow vulnerabilityProblem DescriptionWhile processing Link Control Protocol (LCP) configuration options received from the remote host, sppp(4) fails to correctly validate option lengths. This may result in data being read or written beyond the allocated kernel memory buffer. ImpactAn attacker able to send LCP packets, including the remote end of a sppp(4) connection, can cause the FreeBSD kernel to panic. Such an attacker may also be able to obtain sensitive information or gain elevated privileges. WorkaroundNo workaround is available, but systems which do not use sppp(4) are not vulnerable. Discovery 2006-08-23 Entry 2006-08-23 Modified 2006-08-30 FreeBSD < 4.11_20 ge 5.3 lt 5.3_32 ge 5.4 lt 5.4_17 ge 5.5 lt 5.5_3 ge 6.0 lt 6.0_10 ge 6.1 lt 6.1_4 CVE-2006-4304 SA-06:18.ppp |
cb252f01-7c43-11e3-b0a6-005056a37f68 | bind -- denial of service vulnerability ISC reports:
Discovery 2014-01-08 Entry 2014-01-13 Modified 2016-08-09 bind99 < 9.9.4.2 bind99-base < 9.9.4.2 bind98 < 9.8.6.2 bind98-base < 9.8.6.2 bind96 < 9.6.3.2.ESV.R10.2 bind96-base < 9.6.3.2.ESV.R10.2 FreeBSD ge 9.2 lt 9.2_3 ge 9.1 lt 9.1_10 ge 8.4 lt 8.4_7 ge 8.3 lt 8.3_14 CVE-2014-0591 SA-14:04.bind https://kb.isc.org/article/AA-01078/74/ |
cba246d2-f483-11e5-92ce-002590263bf5 | bind -- denial of service vulnerability ISC reports:
Discovery 2016-03-09 Entry 2016-03-28 Modified 2016-08-09 bind98 le 9.8.8 bind99 ge 9.9.0 lt 9.9.8P4 bind910 ge 9.10.0 lt 9.10.3P4 bind9-devel < 9.11.0.a20160309 FreeBSD ge 9.3 lt 9.3_38 CVE-2016-1286 SA-16:13.bind https://kb.isc.org/article/AA-01353 |
ce808022-8ee6-11e6-a590-14dae9d210b8 | FreeBSD -- Heap overflow vulnerability in bspatchProblem Description:The implementation of bspatch is susceptible to integer overflows with carefully crafted input, potentially allowing an attacker who can control the patch file to write at arbitrary locations in the heap. This issue was partially addressed in FreeBSD-SA-16:25.bspatch, but some possible integer overflows remained. Impact:An attacker who can control the patch file can cause a crash or run arbitrary code under the credentials of the user who runs bspatch, in many cases, root. Discovery 2016-10-10 Entry 2016-10-10 FreeBSD ge 11.0 lt 11.0_1 ge 10.3 lt 10.3_10 ge 10.2 lt 10.2_23 ge 10.1 lt 10.1_40 ge 9.3 lt 9.3_48 SA-16:29.bspatch |
cf3b9a96-f7bb-11da-9156-000e0c2e438a | smbfs -- chroot escapeProblem Descriptionsmbfs does not properly sanitize paths containing a backslash character; in particular the directory name '..\' is interpreted as the parent directory by the SMB/CIFS server, but smbfs handles it in the same manner as any other directory. ImpactWhen inside a chroot environment which resides on a smbfs mounted file-system it is possible for an attacker to escape out of this chroot to any other directory on the smbfs mounted file-system. WorkaroundMount the smbfs file-systems which need to be used with chroot on top, in a way so the chroot directory is exactly on the mount point and not a sub directory Discovery 2006-05-31 Entry 2006-06-09 FreeBSD ge 4.10 lt 4.10_24 ge 4.11 lt 4.11_18 ge 5.3 lt 5.3_30 ge 5.4 lt 5.4_15 ge 5.5 lt 5.5_1 ge 6.0 lt 6.0_8 ge 6.1 lt 6.1_1 CVE-2006-2654 SA-06:16.smbfs |
d2102505-f03d-11d8-81b0-000347a4fa7d | cvs -- numerous vulnerabilities A number of vulnerabilities were discovered in CVS by Stefan Esser, Sebastian Krahmer, and Derek Price.
Additionally, iDEFENSE reports an undocumented command-line flag used in debugging does not perform input validation on the given path names. CVS servers ("cvs server" or :pserver: modes) are affected by these vulnerabilities. They vary in impact but include information disclosure (the iDEFENSE-reported bug), denial-of-service (CVE-2004-0414, CVE-2004-0416, CVE-2004-0417 and other bugs), or possibly arbitrary code execution (CVE-2004-0418). In very special situations where the attacker may somehow influence the contents of CVS configuration files in CVSROOT, additional attacks may be possible. Discovery 2004-05-20 Entry 2004-08-17 Modified 2004-09-19 cvs+ipv6 < 1.11.17 FreeBSD ge 5.2 lt 5.2.1_10 ge 4.10 lt 4.10_3 ge 4.9 lt 4.9_12 ge 4.8 lt 4.8_25 SA-04:14.cvs CVE-2004-0414 CVE-2004-0416 CVE-2004-0417 CVE-2004-0418 CVE-2004-0778 http://secunia.com/advisories/11817 http://secunia.com/advisories/12309 http://security.e-matters.de/advisories/092004.html http://www.idefense.com/application/poi/display?id=130&type=vulnerabilities&flashstatus=false https://ccvs.cvshome.org/source/browse/ccvs/NEWS?rev=1.116.2.104 http://www.osvdb.org/6830 http://www.osvdb.org/6831 http://www.osvdb.org/6832 http://www.osvdb.org/6833 http://www.osvdb.org/6834 http://www.osvdb.org/6835 http://www.osvdb.org/6836 10499 |
d22b336d-0567-11ec-b69d-4062311215d5 | FreeBSD -- libfetch out of bounds readProblem Description:The passive mode in FTP communication allows an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for *p == '\0' one byte too late because p++ was already performed. Impact:The connection buffer size can be controlled by a malicious FTP server because the size is increased until a newline is encountered (or no more characters are read). This also allows to move the buffer into more interesting areas within the address space, potentially parsing relevant numbers for the attacker. Since these bytes become available to the server in form of a new TCP connection to a constructed port number or even part of the IPv6 address this is a potential information leak. Discovery 2021-08-24 Entry 2021-08-25 FreeBSD ge 13.0 lt 13.0_4 ge 12.2 lt 12.2_10 ge 11.4 lt 11.4_13 CVE-2021-36159 SA-21:15.libfetch |
d455708a-e3d3-11e6-9940-b499baebfeaf | OpenSSL -- multiple vulnerabilities The OpenSSL project reports:
Discovery 2017-01-26 Entry 2017-01-26 Modified 2017-05-26 openssl < 1.0.2k,1 openssl-devel < 1.1.0d linux-c6-openssl < 1.0.1e_13 linux-c7-openssl-libs < 1.0.1e_3 FreeBSD ge 11.0 lt 11.0_8 ge 10.3 lt 10.3_17 https://www.openssl.org/news/secadv/20170126.txt CVE-2016-7055 CVE-2017-3730 CVE-2017-3731 CVE-2017-3732 SA-17:02.openssl |
d4c7e9a9-d893-11e6-9b4d-d050996490d0 | BIND -- multiple vulnerabilities ISC reports:
Discovery 2017-01-11 Entry 2017-01-12 bind99 < 9.9.9P5 bind910 < 9.10.4P5 bind911 < 9.11.0P2 bind9-devel le 9.12.0.a.2016.12.28 FreeBSD ge 9.3 lt 10.0 CVE-2016-9131 CVE-2016-9147 CVE-2016-9444 CVE-2016-9778 https://kb.isc.org/article/AA-01439/0 https://kb.isc.org/article/AA-01440/0 https://kb.isc.org/article/AA-01441/0 https://kb.isc.org/article/AA-01442/0 |
d7c1d00d-9d2e-11da-8c1d-000e0c2e438a | ipfw -- IP fragment denial of service Problem description: The firewall maintains a pointer to layer 4 header information in the event that it needs to send a TCP reset or ICMP error message to discard packets. Due to incorrect handling of IP fragments, this pointer fails to get initialized. Impact: An attacker can cause the firewall to crash by sending ICMP IP fragments to or through firewalls which match any reset, reject or unreach actions. Workaround: Change any reset, reject or unreach actions to deny. It should be noted that this will result in packets being silently discarded. Discovery 2006-01-11 Entry 2006-02-14 Modified 2016-08-09 FreeBSD ge 6.0 lt 6.0_2 CVE-2006-0054 SA-06:04.ipfw |
dade3316-9d31-11da-8c1d-000e0c2e438a | IEEE 802.11 -- buffer overflow Problem description: An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer. Impact: An attacker able broadcast a carefully crafted beacon or probe response frame may be able to execute arbitrary code within the context of the FreeBSD kernel on any system scanning for wireless networks. Workaround: No workaround is available, but systems without IEEE 802.11 hardware or drivers loaded are not vulnerable. Discovery 2006-01-18 Entry 2006-02-14 Modified 2016-08-09 FreeBSD ge 6.0 lt 6.0_3 CVE-2006-0226 SA-06:05.80211 |
dfb71c00-9d44-11da-8c1d-000e0c2e438a | FreeBSD -- Infinite loop in SACK handling Problem description: When insufficient memory is available to handle an incoming selective acknowledgement, the TCP/IP stack may enter an infinite loop. Impact: By opening a TCP connection and sending a carefully crafted series of packets, an attacker may be able to cause a denial of service. Workaround: On FreeBSD 5.4, the net.inet.tcp.sack.enable sysctl can be used to disable the use of SACK: # sysctl net.inet.tcp.sack.enable=0 No workaround is available for FreeBSD 5.3. Discovery 2006-02-01 Entry 2006-02-14 Modified 2016-08-09 FreeBSD ge 5.4 lt 5.4_11 ge 5.3 lt 5.3_26 CVE-2006-0433 SA-06:08.sack |
dfe0cdc1-baf2-11e5-863a-b499baebfeaf | openssh -- information disclosure OpenSSH reports:
Discovery 2016-01-14 Entry 2016-01-14 Modified 2016-08-09 openssh-portable gt 5.4.p0,1 lt 7.1.p2,1 FreeBSD ge 10.2 lt 10.2_10 ge 10.1 lt 10.1_27 ge 9.3 lt 9.3_34 http://www.openssh.com/security.html CVE-2016-0777 CVE-2016-0778 SA-16:07 |
e00304d2-bbed-11e6-b1cf-14dae9d210b8 | FreeBSD -- Possible login(1) argument injection in telnetd(8)Problem Description:An unexpected sequence of memory allocation failures combined with insufficient error checking could result in the construction and execution of an argument sequence that was not intended. Impact:An attacker who controls the sequence of memory allocation failures and success may cause login(1) to run without authentication and may be able to cause misbehavior of login(1) replacements. No practical way of controlling these memory allocation failures is known at this time. Discovery 2016-12-06 Entry 2016-12-06 FreeBSD ge 11.0 lt 11.0_4 ge 10.3 lt 10.3_13 ge 10.2 lt 10.2_26 ge 10.1 lt 10.1_43 ge 9.3 lt 9.3_51 CVE-2016-1888 SA-16:36.telnetd |
e2748c9d-3483-11eb-b87a-901b0ef719ab | FreeBSD -- Multiple vulnerabilities in rtsoldProblem Description:Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling. First, rtsold(8) failed to perform sufficient bounds checking on the extent of the option. In particular, it does not verify that the option does not extend past the end of the received packet before processing its contents. The kernel currently ignores such malformed packets but still passes them to userspace programs. Second, when processing a DNSSL option, rtsold(8) decodes domain name labels per an encoding specified in RFC 1035 in which the first octet of each label contains the label's length. rtsold(8) did not validate label lengths correctly and could overflow the destination buffer. Impact:It is believed that these bugs could be exploited to gain remote code execution within the rtsold(8) daemon, which runs as root. Note that rtsold(8) only processes messages received from hosts attached to the same physical link as the interface(s) on which rtsold(8) is listening. In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the scope of a compromised rtsold(8) process. Discovery 2020-12-01 Entry 2020-12-02 FreeBSD ge 12.2 lt 12.2_1 ge 12.1 lt 12.1_11 ge 11.4 lt 11.4_5 CVE-2020-25577 SA-20:32.rtsold |
e289f7fd-88ac-11d8-90d1-0020ed76ef5a | many out-of-sequence TCP packets denial-of-service FreeBSD does not limit the number of TCP segments that may be held in a reassembly queue. A remote attacker may conduct a low-bandwidth denial-of-service attack against a machine providing services based on TCP (there are many such services, including HTTP, SMTP, and FTP). By sending many out-of-sequence TCP segments, the attacker can cause the target machine to consume all available memory buffers (``mbufs''), likely leading to a system crash. Discovery 2004-02-18 Entry 2004-04-07 Modified 2004-05-05 FreeBSD ge 5.2 lt 5.2.1_2 ge 5.0 lt 5.1_15 ge 4.9 lt 4.9_3 ge 4.8 lt 4.8_16 < 4.7_26 CVE-2004-0171 SA-04:04.tcp http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities |
e4644df8-e7da-11e5-829d-c80aa9043978 | openssh -- command injection when X11Forwarding is enabled The OpenSSH project reports:
Discovery 2016-03-11 Entry 2016-03-11 Modified 2016-08-09 openssh-portable < 7.2.p2,1 FreeBSD ge 10.2 lt 10.2_14 ge 10.1 lt 10.1_31 ge 9.3 lt 9.3_39 http://www.openssh.com/txt/x11fwd.adv CVE-2016-3115 SA-16:14.openssh |
e500b9bf-ca3e-11df-aade-0050568f000c | FreeBSD -- BIND named(8) cache poisoning with DNSSEC validationProblem Description:If a client requests DNSSEC records with the Checking Disabled (CD) flag set, BIND may cache the unvalidated responses. These responses may later be returned to another client that has not set the CD flag. Discovery 2010-01-06 Entry 2010-10-24 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_15 ge 6.4 lt 6.4_9 ge 7.1 lt 7.1_10 ge 7.2 lt 7.2_6 ge 8.0 lt 8.0_2 SA-10:01.bind |
e50a7476-bb2d-11da-b2fb-000e0c2e438a | ipsec -- reply attack vulnerabilityProblem DescriptionIPsec provides an anti-replay service which when enabled prevents an attacker from successfully executing a replay attack. This is done through the verification of sequence numbers. A programming error in the fast_ipsec(4) implementation results in the sequence number associated with a Security Association not being updated, allowing packets to unconditionally pass sequence number verification checks. ImpactAn attacker able to intercept IPSec packets can replay them. If higher level protocols which do not provide any protection against packet replays (e.g., UDP) are used, this may have a variety of effects. WorkaroundNo workaround is available. Discovery 2006-03-22 Entry 2006-03-24 Modified 2006-06-09 FreeBSD ge 6.0 lt 6.0_6 ge 5.4 lt 5.4_13 ge 5.3 lt 5.3_28 ge 4.11 lt 4.11_16 ge 4.10 lt 4.10_22 CVE-2006-0905 SA-06:11.ipsec |
e51d5b1a-4638-11e1-9f47-00e0815b8da8 | FreeBSD -- pam_ssh() does not validate service names
Discovery 2011-12-23 Entry 2012-01-29 FreeBSD ge 7.3 lt 7.3_9 ge 7.4 lt 7.4_5 ge 8.1 lt 8.1_7 ge 8.2 lt 8.2_5 SA-11:10.pam CVE-2011-4122 |
e66a6e2f-b0d5-11e2-9164-0016e6dcb562 | FreeBSD -- NFS remote denial of service
Discovery 2013-04-21 Entry 2013-04-29 Modified 2016-08-09 FreeBSD ge 8.3 lt 8.3_8 ge 9.1 lt 9.1_3 CVE-2013-3266 SA-13:05.nfsserver |
e722e3c6-bbee-11e6-b1cf-14dae9d210b8 | FreeBSD -- bhyve(8) virtual machine escapeProblem Description:The bounds checking of accesses to guest memory greater than 4GB by device emulations is subject to integer overflow. Impact:For a bhyve virtual machine with more than 3GB of guest memory configured, a malicious guest could craft device descriptors that could give it access to the heap of the bhyve process. Since the bhyve process is running as root, this may allow guests to obtain full control of the hosts they're running on. Discovery 2016-12-06 Entry 2016-12-06 FreeBSD ge 11.0 lt 11.0_4 ge 10.3 lt 10.3_13 ge 10.2 lt 10.2_26 ge 10.1 lt 10.1_43 CVE-2016-1889 SA-16:38.bhyve |
e7dcd69d-8ee6-11e6-a590-14dae9d210b8 | FreeBSD -- Multiple portsnap vulnerabilitiesProblem Description:Flaws in portsnap's verification of downloaded tar files allows additional files to be included without causing the verification to fail. Portsnap may then use or execute these files. Impact:An attacker who can conduct man in the middle attack on the network at the time when portsnap is run can cause portsnap to execute arbitrary commands under the credentials of the user who runs portsnap, typically root. Discovery 2016-10-10 Entry 2016-10-10 FreeBSD ge 11.0 lt 11.0_1 ge 10.3 lt 10.3_10 ge 10.2 lt 10.2_23 ge 10.1 lt 10.1_40 ge 9.3 lt 9.3_48 SA-16:30.portsnap |
e93bc5b0-bb2e-11da-b2fb-000e0c2e438a | OPIE -- arbitrary password changeProblem DescriptionThe opiepasswd(1) program uses getlogin(2) to identify the user calling opiepasswd(1). In some circumstances getlogin(2) will return "root" even when running as an unprivileged user. This causes opiepasswd(1) to allow an unpriviled user to configure OPIE authentication for the root user. ImpactIn certain cases an attacker able to run commands as a non privileged users which have not explicitly logged in, for example CGI scripts run by a web server, is able to configure OPIE access for the root user. If the attacker is able to authenticate as root using OPIE authentication, for example if "PermitRootLogin" is set to "yes" in sshd_config or the attacker has access to a local user in the "wheel" group, the attacker can gain root privileges. WorkaroundDisable OPIE authentication in PAM: # sed -i "" -e /opie/s/^/#/ /etc/pam.d/* or Remove the setuid bit from opiepasswd: # chflags noschg /usr/bin/opiepasswd # chmod 555 /usr/bin/opiepasswd # chflags schg /usr/bin/opiepasswd Discovery 2006-03-22 Entry 2006-03-24 Modified 2006-06-09 FreeBSD ge 6.0 lt 6.0_6 ge 5.4 lt 5.4_13 ge 5.3 lt 5.3_28 ge 4.11 lt 4.11_16 ge 4.10 lt 4.10_22 CVE-2006-1283 SA-06:12.opie |
e9ecaceb-db0d-11dd-aa56-000bcdf0a03b | FreeBSD -- Cross-site request forgery in ftpd(8)Problem Description:The ftpd(8) server splits long commands into several requests. This may result in the server executing a command which is hidden inside another very long command. Impact:This could, with a specifically crafted command, be used in a cross-site request forgery attack. FreeBSD systems running ftpd(8) server could act as a point of privilege escalation in an attack against users using web browser to access trusted FTP sites. Workaround:No workaround is available, but systems not running FTP servers are not vulnerable. Systems not running the FreeBSD ftp(8) server are not affected, but users of other ftp daemons are advised to take care since several other ftp daemons are known to have related bugs. Discovery 2008-12-23 Entry 2009-01-05 Modified 2016-08-09 FreeBSD ge 6.3 lt 6.3_7 ge 6.4 lt 6.4_1 ge 7.0 lt 7.0_7 CVE-2008-4247 SA-08:12.ftpd |
ea05c456-a4fd-11ec-90de-1c697aa5a594 | OpenSSL -- Infinite loop in BN_mod_sqrt parsing certificates The OpenSSL project reports:
Discovery 2022-03-15 Entry 2022-03-16 Modified 2022-03-16 openssl < 1.1.1n,1 openssl-devel < 3.0.2 openssl-quictls < 3.0.2 libressl < 3.4.3 libressl-devel < 3.5.1 FreeBSD ge 13.0 lt 13.0_8 ge 12.3 lt 12.3_3 ge 12.2 lt 12.2_14 CVE-2022-0778 https://www.openssl.org/news/secadv/20220315.txt SA-22:03.openssl |
eaf3b255-5245-11e5-9ad8-14dae9d210b8 | bind -- denial of service vulnerability ISC reports:
Discovery 2015-08-19 Entry 2015-09-03 Modified 2016-08-09 bind99 < 9.9.7P3 bind910 ge 9.10.2 lt 9.10.2P4 bind910-base bind99-base gt 0 FreeBSD ge 9.3 lt 9.3_25 https://www.isc.org/blogs/cve-2015-5722-parsing-malformed-keys-may-cause-bind-to-exit-due-to-a-failed-assertion-in-buffer-c/ CVE-2015-5722 SA-15:23.bind |
ebd84c96-dd7e-11e4-854e-3c970e169bc2 | ntp -- multiple vulnerabilities ntp.org reports:
Discovery 2015-04-07 Entry 2015-04-07 ntp < 4.2.8p2 ntp-devel < 4.3.14 FreeBSD ge 10.1 lt 10.1_9 ge 9.3 lt 9.3_13 ge 8.4 lt 8.4_27 SA-15:07.ntp CVE-2015-1798 CVE-2015-1799 http://archive.ntp.org/ntp4/ChangeLog-stable |
eda151d8-4638-11e1-9f47-00e0815b8da8 | FreeBSD -- pam_ssh improperly grants access when user account has unencrypted SSH private keys
Discovery 2011-12-23 Entry 2012-01-29 Modified 2013-06-18 FreeBSD ge 7.3 lt 7.3_9 ge 7.4 lt 7.4_5 ge 8.1 lt 8.1_7 ge 8.2 lt 8.2_5 SA-11:09.pam_ssh |
ef3306fc-8f9b-11db-ab33-000e0c2e438a | bind9 -- Denial of Service in named(8)Problem DescriptionFor a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset. For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response. ImpactAn attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service. An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server. WorkaroundA possible workaround is to only allow trusted clients to perform recursive queries. Discovery 2006-09-06 Entry 2006-12-19 Modified 2016-08-09 FreeBSD ge 6.1 lt 6.1_6 ge 6.0 lt 6.0_11 ge 5.5 lt 5.5_4 ge 5.4 lt 5.4_18 ge 5.0 lt 5.3_33 bind9 ge 9.0 lt 9.3.2.1 CVE-2006-4095 CVE-2006-4096 SA-06:20.bind |
f04cc5cb-2d0b-11d8-beaf-000a95c4d922 | bind8 negative cache poison attack A programming error in BIND 8 named can result in a DNS message being incorrectly cached as a negative response. As a result, an attacker may arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain name. The name server would thereafter respond negatively to legitimate queries for that domain name, resulting in a denial-of-service for applications that require DNS. Discovery 2003-11-28 Entry 2003-12-12 Modified 2004-05-05 bind ge 8.3 lt 8.3.7 ge 8.4 lt 8.4.3 FreeBSD ge 5.1 lt 5.1_11 ge 5.0 lt 5.0_19 ge 4.9 lt 4.9_1 ge 4.8 lt 4.8_14 ge 4.7 lt 4.7_24 ge 4.6 lt 4.6.2_27 ge 4.5 lt 4.5_37 < 4.4_47 CVE-2003-0914 SA-03:19.bind 734644 |
f115f693-36b2-11e2-a633-902b343deec9 | FreeBSD -- Insufficient message length validation for EAP-TLS messages Problem description:
Discovery 2012-11-22 Entry 2012-11-24 FreeBSD ge 8.3 lt 8.3_5 ge 9.0 lt 9.0_5 SA-12:07.hostapd CVE-2012-4445 |
f56390a4-4638-11e1-9f47-00e0815b8da8 | FreeBSD -- Buffer overflow in handling of UNIX socket addresses
Discovery 2011-09-28 Entry 2012-01-29 FreeBSD ge 7.3 lt 7.3_8 ge 7.4 lt 7.4_4 ge 8.1 lt 8.1_6 ge 8.2 lt 8.2_4 SA-11:05.unix |
f62bba56-b309-11e9-a87f-a4badb2f4699 | FreeBSD -- iconv buffer overflowProblem Description:With certain inputs, iconv may write beyond the end of the output buffer. Impact:Depending on the way in which iconv is used, an attacker may be able to create a denial of service, provoke incorrect program behavior, or induce a remote code execution. iconv is a libc library function and the nature of possible attacks will depend on the way in which iconv is used by applications or daemons. Discovery 2019-07-02 Entry 2019-07-30 FreeBSD ge 12.0 lt 12.0_7 ge 11.2 lt 11.2_11 CVE-2019-5600 SA-19:09.iconv |
f6eb2279-ca3f-11df-aade-0050568f000c | FreeBSD -- Insufficient environment sanitization in jail(8)Problem Description:The jail(8) utility does not change the current working directory while imprisoning. The current working directory can be accessed by its descendants. Discovery 2010-05-27 Entry 2010-10-24 Modified 2016-08-09 FreeBSD ge 8.0 lt 8.0_3 SA-10:04.jail |
f70f8860-e8ee-11d9-b875-0001020eed82 | kernel -- ipfw packet matching errors with address tablesProblem DescriptionThe ipfw tables lookup code caches the result of the last query. The kernel may process multiple packets concurrently, performing several concurrent table lookups. Due to an insufficient locking, a cached result can become corrupted that could cause some addresses to be incorrectly matched against a lookup table. ImpactWhen lookup tables are used with ipfw, packets may on very rare occasions incorrectly match a lookup table. This could result in a packet being treated contrary to the defined packet filtering ruleset. For example, a packet may be allowed to pass through when it should have been discarded. The problem can only occur on Symmetric Multi-Processor (SMP) systems, or on Uni Processor (UP) systems with the PREEMPTION kernel option enabled (not the default). Workarounda) Do not use lookup tables. OR b) Disable concurrent processing of packets in the network stack by setting the "debug.mpsafenet=0" tunable: # echo "debug.mpsafenet=0" << /boot/loader.conf Discovery 2005-06-29 Entry 2005-06-29 Modified 2005-07-06 FreeBSD ge 5.4 lt 5.4_3 CVE-2005-2019 SA-05:13.ipfw |
f8551668-de09-4d7b-9720-f1360929df07 | tcpdump ISAKMP payload handling remote denial-of-service Chad Loder has discovered vulnerabilities in tcpdump's ISAKMP protocol handler. During an audit to repair these issues, Bill Fenner discovered some related problems. These vulnerabilities may be used by an attacker to crash a running `tcpdump' process. They can only be triggered if the `-v' command line option is being used. NOTE: the racoon ISAKMP/IKE daemon incorporates the ISAKMP protocol handler from tcpdump, and so is also affected by this issue. Discovery 2004-03-12 Entry 2004-03-31 Modified 2016-08-11 tcpdump < 3.8.3 racoon < 20040408a FreeBSD < 5.2.1 http://marc.theaimsgroup.com/?l=bugtraq&m=108067265931525 http://www.rapid7.com/advisories/R7-0017.html CVE-2004-0183 CVE-2004-0184 |
f8b46415-c264-11ea-8659-901b0ef719ab | FreeBSD -- posix_spawnp(3) buffer overflowProblem Description:posix_spawnp spawns a new thread with a limited stack allocated on the heap before delegating to execvp for the final execution within that thread. execvp would previously make unbounded allocations on the stack, directly proportional to the length of the user-controlled PATH environment variable. Impact:Long values in the user-controlled PATH environment variable cause posix_spawnp to write beyond the end of stack that was allocated, ultimately overflowing the heap-allocated stack with a direct copy of the value stored in PATH. Discovery 2020-07-09 Entry 2020-07-10 FreeBSD ge 11.4 lt 11.4_1 CVE-2020-7458 SA-20:18.posix_spawnp |
f93be979-a992-11d8-aecc-000d610a3b12 | cvs pserver remote heap buffer overflow Due to a programming error in code used to parse data received from the client, malformed data can cause a heap buffer to overflow, allowing the client to overwrite arbitrary portions of the server's memory. A malicious CVS client can exploit this to run arbitrary code on the server at the privilege level of the CVS server software. Discovery 2004-05-02 Entry 2004-05-19 FreeBSD ge 5.2 lt 5.2_7 ge 5.1 lt 5.1_17 ge 5.0 lt 5.0_21 ge 4.9 lt 4.9_8 ge 4.8 lt 4.8_21 ge 4.0 lt 4.7_27 CVE-2004-0396 SA-04:10.cvs |
f95a9005-88ae-11d8-90d1-0020ed76ef5a | shmat reference counting bug A programming error in the shmat(2) system call can result in a shared memory segment's reference count being erroneously incremented. It may be possible to cause a shared memory segment to reference unallocated kernel memory, but remain valid. This could allow a local attacker to gain read or write access to a portion of kernel memory, resulting in sensitive information disclosure, bypass of access control mechanisms, or privilege escalation. Discovery 2004-02-01 Entry 2004-04-07 Modified 2004-05-05 FreeBSD ge 5.2 lt 5.2_2 ge 5.1 lt 5.1_14 ge 5.0 lt 5.0_20 ge 4.9 lt 4.9_2 ge 4.8 lt 4.8_15 < 4.7_25 CVE-2004-0114 SA-04:02.shmat http://www.pine.nl/press/pine-cert-20040201.txt |
fa6a4a69-03d1-11e9-be12-a4badb2f4699 | FreeBSD -- bootpd buffer overflowProblem Description:Due to insufficient validation of network-provided data it may be possible for a malicious attacker to craft a bootp packet which could cause a stack buffer overflow. Impact:It is possible that the buffer overflow could lead to a Denial of Service or remote code execution. Discovery 2018-12-19 Entry 2018-12-19 FreeBSD ge 12.0 lt 12.0_1 ge 11.2 lt 11.2_7 CVE-2018-1716 SA-18:15.bootpd |
fb5e227e-b8c6-11d8-b88c-000d610a3b12 | jailed processes can manipulate host routing tables A programming error resulting in a failure to verify that an attempt to manipulate routing tables originated from a non-jailed process. Jailed processes running with superuser privileges could modify host routing tables. This could result in a variety of consequences including packets being sent via an incorrect network interface and packets being discarded entirely. Discovery 2004-02-03 Entry 2004-06-07 FreeBSD ge 4.9 lt 4.9_10 ge 4.8 lt 4.8_23 CVE-2004-0125 SA-04:12.jailroute |
fbc8413f-2f7a-11de-9a3f-001b77d09812 | FreeBSD -- remotely exploitable crash in OpenSSLProblem DescriptionThe function ASN1_STRING_print_ex does not properly validate the lengths of BMPString or UniversalString objects before attempting to print them. ImpactAn application which attempts to print a BMPString or UniversalString which has an invalid length will crash as a result of OpenSSL accessing invalid memory locations. This could be used by an attacker to crash a remote application. WorkaroundNo workaround is available, but applications which do not use the ASN1_STRING_print_ex function (either directly or indirectly) are not affected. Discovery 2009-03-25 Entry 2009-05-07 Modified 2009-05-13 FreeBSD ge 6.3 lt 6.3_10 ge 6.4 lt 6.4_4 ge 7.0 lt 7.0_12 ge 7.1 lt 7.1_5 SA-09:08.openssl CVE-2009-0590 |
fc5231b6-c066-11e1-b5e0-000c299b62e1 | FreeBSD -- Incorrect handling of zero-length RDATA fields in named(8) Problem description:
Discovery 2012-06-12 Entry 2012-06-27 FreeBSD ge 7.4 lt 7.4_9 ge 8.1 lt 8.1_11 ge 8.2 lt 8.2_9 ge 8.3 lt 8.3_3 ge 9.0 lt 9.0_3 SA-12:03.bind CVE-2012-1667 |
fcedcdbb-c86e-11e6-b1cf-14dae9d210b8 | FreeBSD -- Multiple vulnerabilities of ntpProblem Description:Multiple vulnerabilities have been discovered in the NTP suite: CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy of Cisco ASIG. CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector. Reported by Matthew Van Gundy of Cisco ASIG. CVE-2016-7427: Broadcast Mode Replay Prevention DoS. Reported by Matthew Van Gundy of Cisco ASIG. CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS. Reported by Matthew Van Gundy of Cisco ASIG. CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass. Reported by Sharon Goldberg and Aanchal Malhotra of Boston University. CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal(). Reported by Magnus Stubman. CVE-2016-7426: Client rate limiting and server responses. Reported by Miroslav Lichvar of Red Hat. CVE-2016-7433: Reboot sync calculation problem. Reported independently by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal Malhotra of Boston University. Impact:A remote attacker who can send a specially crafted packet to cause a NULL pointer dereference that will crash ntpd, resulting in a Denial of Service. [CVE-2016-9311] An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, "restrict default noquery ..." is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring by an attacker from remote. [CVE-2016-9310] An attacker with access to the NTP broadcast domain can periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. [CVE-2016-7427] An attacker with access to the NTP broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. [CVE-2016-7428] Origin timestamp problems were fixed in ntp 4.2.8p6. However, subsequent timestamp validation checks introduced a regression in the handling of some Zero origin timestamp checks. [CVE-2016-7431] If ntpd is configured to allow mrulist query requests from a server that sends a crafted malicious packet, ntpd will crash on receipt of that crafted malicious mrulist query packet. [CVE-2016-7434] An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources. [CVE-2016-7426] Ntp Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulas have been reviewed and reconciled, and the code has been updated accordingly. [CVE-2016-7433] Discovery 2016-12-22 Entry 2016-12-22 FreeBSD ge 11.0 lt 11.0_6 ge 10.3 lt 10.3_15 ge 10.2 lt 10.2_28 ge 10.1 lt 10.1_45 ge 9.3 lt 9.3_53 CVE-2016-7426 CVE-2016-7427 CVE-2016-7428 CVE-2016-7431 CVE-2016-7433 CVE-2016-7434 CVE-2016-9310 CVE-2016-9311 SA-16:39.ntp |
fee94342-4638-11e1-9f47-00e0815b8da8 | FreeBSD -- errors handling corrupt compress file in compress(1) and gzip(1)
Discovery 2011-09-28 Entry 2012-01-29 FreeBSD ge 7.3 lt 7.3_7 ge 7.4 lt 7.4_3 ge 8.1 lt 8.1_5 ge 8.2 lt 8.2_3 SA-11:04.compress CVE-2011-2895 |