summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorJacques Vidrine <nectar@FreeBSD.org>2004-04-07 16:27:57 +0000
committerJacques Vidrine <nectar@FreeBSD.org>2004-04-07 16:27:57 +0000
commit16c43cb9df09c2fe83ce2061f5ae9676ea769a13 (patch)
tree025855a3fe1fcd9a369ded105e2e38a00105da28 /security
parentUnbreak build. (diff)
Add new affected version of gaim.
Add year 2004 FreeBSD security advisories.
Diffstat (limited to 'security')
-rw-r--r--security/vuxml/vuln.xml160
1 files changed, 159 insertions, 1 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index a4a9a0af9e31..97fefe07cf91 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -30,6 +30,160 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="7229d900-88af-11d8-90d1-0020ed76ef5a">
+ <topic>mksnap_ffs clears file system options</topic>
+ <affects>
+ <system>
+ <name>FreeBSD</name>
+ <range><ge>5.2</ge><lt>5.2p1</lt></range>
+ <range><ge>5.1</ge><lt>5.1p12</lt></range>
+ </system>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The kernel interface for creating a snapshot of a
+ filesystem is the same as that for changing the flags on
+ that filesystem. Due to an oversight, the <a
+ href="http://www.freebsd.org/cgi/man.cgi?query=mksnap_ffs"
+ >mksnap_ffs(8)</a>
+ command called that interface with only the snapshot flag
+ set, causing all other flags to be reset to the default
+ value.</p>
+ <p>A regularly scheduled backup of a live filesystem, or
+ any other process that uses the mksnap_ffs command
+ (for instance, to provide a rough undelete functionality
+ on a file server), will clear any flags in effect on the
+ filesystem being snapshot. Possible consequences depend
+ on local usage, but can include disabling extended access
+ control lists or enabling the use of setuid executables
+ stored on an untrusted filesystem.</p>
+ <p>The mksnap_ffs command is normally only available to
+ the superuser and members of the `operator' group. There
+ is therefore no risk of a user gaining elevated privileges
+ directly through use of the mksnap_ffs command unless
+ it has been intentionally made available to unprivileged
+ users.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0099</cvename>
+ <freebsdsa>SA-04:01.mksnap_ffs</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2004-01-30</discovery>
+ <entry>2004-04-07</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f95a9005-88ae-11d8-90d1-0020ed76ef5a">
+ <topic>shmat reference counting bug</topic>
+ <affects>
+ <system>
+ <name>FreeBSD</name>
+ <range><ge>5.2</ge><lt>5.2p2</lt></range>
+ <range><ge>5.1</ge><lt>5.1p14</lt></range>
+ <range><ge>5.0</ge><lt>5.0p20</lt></range>
+ <range><ge>4.9</ge><lt>4.9p2</lt></range>
+ <range><ge>4.8</ge><lt>4.8p15</lt></range>
+ <range><lt>4.7p25</lt></range>
+ </system>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>A programming error in the <a
+ href="http://www.freebsd.org/cgi/man.cgi?query=shmat"
+ >shmat(2)</a> system call can result
+ in a shared memory segment's reference count being erroneously
+ incremented.</p>
+ <p>It may be possible to cause a shared memory segment to
+ reference unallocated kernel memory, but remain valid.
+ This could allow a local attacker to gain read or write
+ access to a portion of kernel memory, resulting in sensitive
+ information disclosure, bypass of access control mechanisms,
+ or privilege escalation. </p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0114</cvename>
+ <freebsdsa>SA-04:02.shmat</freebsdsa>
+ <url>http://www.pine.nl/press/pine-cert-20040201.txt</url>
+ </references>
+ <dates>
+ <discovery>2004-02-01</discovery>
+ <entry>2004-04-07</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9082a85a-88ae-11d8-90d1-0020ed76ef5a">
+ <topic>jailed processes can attach to other jails</topic>
+ <affects>
+ <system>
+ <name>FreeBSD</name>
+ <range><ge>5.1</ge><lt>5.1p14</lt></range>
+ <range><ge>5.2</ge><lt>5.2.1</lt></range>
+ </system>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>A programming error has been found in the <a
+ href="http://www.freebsd.org/cgi/man.cgi?query=jail_attach"
+ >jail_attach(2)</a>
+ system call which affects the way that system call verifies
+ the privilege level of the calling process. Instead of
+ failing immediately if the calling process was already
+ jailed, the jail_attach system call would fail only after
+ changing the calling process's root directory.</p>
+ <p>A process with superuser privileges inside a jail could
+ change its root directory to that of a different jail,
+ and thus gain full read and write access to files and
+ directories within the target jail. </p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0126</cvename>
+ <freebsdsa>SA-04:03.jail</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2004-02-19</discovery>
+ <entry>2004-04-07</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e289f7fd-88ac-11d8-90d1-0020ed76ef5a">
+ <topic>many out-of-sequence TCP packets denial-of-service</topic>
+ <affects>
+ <system>
+ <name>FreeBSD</name>
+ <range><ge>5.2</ge><lt>5.2.1p2</lt></range>
+ <range><ge>5.0</ge><lt>5.1p15</lt></range>
+ <range><ge>4.9</ge><lt>4.9p3</lt></range>
+ <range><ge>4.8</ge><lt>4.8p16</lt></range>
+ <range><lt>4.7p26</lt></range>
+ </system>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>FreeBSD does not limit the number of TCP segments that
+ may be held in a reassembly queue. A remote attacker may
+ conduct a low-bandwidth denial-of-service attack against
+ a machine providing services based on TCP (there are many
+ such services, including HTTP, SMTP, and FTP). By sending
+ many out-of-sequence TCP segments, the attacker can cause
+ the target machine to consume all available memory buffers
+ (``mbufs''), likely leading to a system crash. </p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0171</cvename>
+ <freebsdsa>SA-04:04.tcp</freebsdsa>
+ <url>http://www.idefense.com/application/poi/display?id=78&amp;type=vulnerabilities</url>
+ </references>
+ <dates>
+ <discovery>2004-02-18</discovery>
+ <entry>2004-04-07</entry>
+ </dates>
+ </vuln>
+
<vuln vid="40fcf20f-8891-11d8-90d1-0020ed76ef5a">
<topic>racoon remote denial of service vulnerability</topic>
<affects>
@@ -423,7 +577,9 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<p>From the FreeBSD Security Advisory:</p>
<blockquote>
<p>A programming error in the handling of some IPv6 socket
- options within the setsockopt(2) system call may result
+ options within the <a
+ href="http://www.freebsd.org/cgi/man.cgi?query=setsockopt"
+ >setsockopt(2)</a> system call may result
in memory locations being accessed without proper
validation.</p>
<p>It may be possible for a local attacker to read portions
@@ -1816,6 +1972,7 @@ misc.c:
<name>gaim</name>
<range><lt>0.75_3</lt></range>
<range><eq>0.75_5</eq></range>
+ <range><eq>0.76</eq></range>
</package>
</affects>
<description>
@@ -1857,6 +2014,7 @@ misc.c:
<dates>
<discovery>2004-01-26</discovery>
<entry>2004-02-12</entry>
+ <modified>2004-04-07</modified>
</dates>
</vuln>