� Security Updates

September 30, 2015


rpcbind(8) remote denial of service

In rpcbind(8), netbuf structures are copied directly, which would result in two netbuf structures that reference to one shared address buffer. When one of the two netbuf structures is freed, access to the other netbuf structure would result in an undefined result that may crash the rpcbind(8) daemon.

10/2: Revised rpcbind(8) patch to fix issues with NIS

August 25, 2015


kernel: fix a security issue on amd64 where the GS segment CPU register can be changed via userland value in kernel mode by using an IRET with #SS or #NP exceptions.

openssh: A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process.

A use-after-free error in the privileged monitor process of he sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process.

A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection.

August 18, 2015


Fix a security vulnerabiity in the expat XML parser.

August 8, 2015


routed - fix a potential security issue where traffic from outside the network can disrupt routing.

July 28, 2015


TCP Resassemly resource exhaustion bug: There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease.
Obtained from: FreeBSD 8


Fix two security vulnerabilities: OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. [CVE-2014-2653]

OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts. A bug allows MaxAuthTries to be bypassed. [CVE-2015-5600]

July 22, 2015


Fix a bug where TCP connections transitioning to LAST_ACK state can get stuck. This can result in a denial of service.

June 12, 2015


OpenSSL Security update - new version is OpenSSL 0.9.8zg

March 19, 2015

0.5.10 RELEASE

OpenSSL Security update

A malformed elliptic curve private key file could cause a use-after-free condition in the d2i_ECPrivateKey function. [CVE-2015-0209]

An attempt to compare ASN.1 boolean types will cause the ASN1_TYPE_cmp function to crash with an invalid read. [CVE-2015-0286]

Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. [CVE-2015-0287]

The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. [CVE-2015-0288]

The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. [CVE-2015-0289]

A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. [CVE-2015-0293]

February 25, 2015


Fix two security vulnerabilities.

1. BIND servers which are configured to perform DNSSEC validation and which are using managed keys (which occurs implicitly when using "dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit unpredictable behavior due to the use of an improperly initialized variable.


2. An integer overflow in computing the size of IGMPv3 data buffer can result in a buffer which is too small for the requested operation.

This can result in a DOS attack.

January 14, 2015


Fix several security issues with OpenSSL.

A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. [CVE-2014-3571]

A memory leak can occur in the dtls1_buffer_record function under certain conditions. [CVE-2015-0206]

When OpenSSL is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. [CVE-2014-3569]

An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. [CVE-2014-3572]

An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. [CVE-2015-0204]

An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. [CVE-2015-0205]

OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. [CVE-2014-8275]

Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. [CVE-2014-3570]

December 11, 2014


Fix a security issue with file and libmagic that can allow an attacker to create a denial of service attack on any program that uses libmagic.


Fix building perl during buildworld when the GDBM port is installed.

November 6, 2014


Update timezone data tzdata 2014i

(plus previous security fixes)

Fix two security issues:

1. sshd may link libpthread in the wrong order, shadowing libc functions and causing a possible DOS attack for connecting clients.

2. getlogin may leak kernel memory via a buffer that is copied without clearing.

October 31, 2014


tnftp 20141031 fixes a security vulnerability with tnftp, CVE-2014-8517.

October 27, 2014


libmport fix for packages

October 21, 2014


MidnightBSD 0.5.3-RELEASE is now available via subversion.

Fix several security vulnerabilities in OpenSSL, routed, rtsold, and namei with respect to Capsicum sandboxes looking up nonexistent path names and leaking memory.

OpenSSL update adds some workarounds for the recent poodle vulnerability reported by Google.

The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network.

Due to a missing length check in the code that handles DNS parameters, a malformed router advertisement message can result in a stack buffer overflow in rtsold(8).

In addition, we've released 0.5.2-RELEASE ISOs on the FTP server for both amd64 and i386. We plan to do rollup security releases periodically.

October 11, 2014


Fixed a regression with mksh R50c.

October 4, 2014


Fixed a security issue with mksh. For more details, view the mksh notification .

September 16, 2014


Fix a security issue with TCP SYN.

When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window.

September 9, 2014


OpenSSL security patch:

The receipt of a specifically crafted DTLS handshake message may cause OpenSSL to consume large amounts of memory. [CVE-2014-3506]

The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak memory. [CVE-2014-3507]

A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. [CVE-2014-3508]

OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. [CVE-2014-3510]

July 10, 2014


Fix a vulnerability in the control message API. A buffer is not properly cleared before sharing with userland.

June 5, 2014


OpenSSL vulnerabilities Receipt of an invalid DTLS fragment on an OpenSSL DTLS client or server can lead to a buffer overrun. [CVE-2014-0195] Receipt of an invalid DTLS handshake on an OpenSSL DTLS client can lead the code to unnecessary recurse. [CVE-2014-0221] Carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. [CVE-2014-0224] Carefully crafted packets can lead to a NULL pointer deference in OpenSSL TLS client code if anonymous ECDH ciphersuites are enabled. [CVE-2014-3470]

June 4, 2014


Sendmail failed to properly set close-on-exec for open file descriptors.

ktrace page fault kernel trace entries were set to an incorrect size which resulted in a leak of information.

April 30, 2014


Fix a TCP reassembly bug that could result in a DOS attack of the system. It may be possible to obtain portions of kernel memory as well.

April 9, 2014


Fix an issue allowing an attacker to deadlock the NFS Server from a trusted client.


Fix a security issue in OpenSSL [CVE-2014-0076]

February 1, 2014


Fix a minor annoyance with the default dot.profile and ssh-agent

January 14, 2014


Fix two security vulnerabilities. bsnmpd contains a stack overflow when sent certain queries. bind 9.8 when using NSEC3-signed zones zones, will crash with special crafted packets.

November 29, 2013

MidnightBSD 0.4-RELEASE-p5

libc's iconv support includes an optimization that is imcompatible with gettext's msgfmt command. By turning off this optimization, we gain compatiblity with several GNU packages.

September 10, 2013

MidnightBSD 0.4-RELEASE-p4


The nullfs(5) implementation of the VOP_LINK(9) VFS operation does not check whether the source and target of the link are both in the same nullfs instance. It is therefore possible to create a hardlink from a location in one nullfs instance to a file in another, as long as the underlying (source) filesystem is the same.


As is commonly the case, the IPv6 and ATM network layer ioctl request handlers are written in such a way that an unrecognized request is passed on unmodified to the link layer, which will either handle it or return an error code.

Network interface drivers, however, assume that the SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been handled at the network layer, and therefore do not perform input validation or verify the caller's credentials. Typical link-layer actions for these requests may include marking the interface as "up" and resetting the underlying hardware.

Patches obtained from FreeBSD

August 22, 2013

MidnightBSD 0.4-RELEASE-p2

Fix an integer overflow in IP_MSFILTER (IP MULTICAST). This could be exploited to read memory by a user process.

When initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized.

Patches obtained from FreeBSD

July 28, 2013

MidnightBSD 0.4-RELEASE-p1

Vulnerabilities were reported in BIND and NFS Server. BIND has a defect resulting in a possible denial of service attack with malformed rdata in a query. This affects only systems running named and not DNS clients.

For NFS, the kernel incorrectly uses client supplied credentials instead of the one configured in exports(5) when filling out the anonymous credential for a NFS export, when -network or -host restrictions are used at the same time. This patch was obtained from FreeBSD.

June 6, 2012

MidnightBSD 0.3-RELEASE-p9

A vulnerability exists in bind related to resource records. A zero length request can cause bind to crash resulting in a denial of service or disclosure of information.


May 30, 2012

MidnightBSD 0.3-RELEASE-p8

Fix a problem with cyrpt's DES implementation when used with non 7-bit ascii passwords.

May 30, 2012

MidnightBSD 0.3-RELEASE-p7

An additional problem in OpenSSL was identified related to the previous (p6) patch.

add SGC and BUF_MEM_grow_clean(3) bug fixes.

May 3, 2012

MidnightBSD 0.3-RELEASE-p6

OpenSSL failes to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. [CVE-2011-4576]

OpenSSL support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack. [CVE-2011-4619]

If an application uses OpenSSL's certificate policy checking when verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK flag, a policy check failure can lead to a double-free. [CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA). [CVE-2012-0884]

The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp functions, in OpenSSL contains multiple integer errors that can cause memory corruption when parsing encoded ASN.1 data. This error can occur on systems that parse untrusted ASN.1 data, such as X.509 certificates or RSA public keys. [CVE-2012-2110]

December 23, 2011

Multiple security vulnerabilities impacting 0.3-RELEASE and 0.4-CURRENT have been patched in MidnightBSD.

  • telnetd: fix a root exploit from a fixed buffer that was not checked
  • pam: don't allow escape from policy path. Exploitable in KDE, etc.
  • Fix pam_ssh module: If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys.
  • Fix security issue with chroot and ftpd.
  • nsdispatch(3) doesn't know it's working in a chroot and some operations can cause files to get reloaded causing a security hole in things like ftpd.

Users should update via CVS and buildworld / installworld. This corresponds to 0.3-RELEASE-p5.

November 4, 2011

MidnightBSD 0.3-RELEASE-p4

Fix a problem with unix socket handling caused by the recent patch to unix socket path handling. This allows network apps to work under the linuxolator again.

September 28, 2011

MidnightBSD 0.3-RELEASE-p3

Security hole in compress and gzip with malformed .Z files can cause an infinite loop in these utilities.

Validate paths for unix domain sockets.

May 30, 2011

0.3-RELEASE and 0.4-CURRENT contain a vulnerable version of BIND 9.6.x. Users who use BIND and a recursive DNS server should update to 0.3-RELEASE-p2. More information can be found at US-CERT

October 12, 2010

0.3-PRERELEASE and 0.4-CURRENT have an issue in all pseudofs based file systems including procfs and linprocfs that either can be used to run code as the kernel or at best crash the system. It's important to update the kernel on systems affected. If you can't do that, disable proc and linproc on your systems until a new kernel can be built. 0.2.1 is not believed to be affected as the code is significantly different and the locking issue is not present.

September 2, 2010

A minor vulnerability in libutil was reported. It can cause uses of some services such as OpenSSH to bypass cpu resource restrictions in 0.3 by use of a custom login.conf. This issue has been fixed today in kern.osreldate 3015 or better.

June 10, 2009

This should be applied to all systems running 0.2.1. Users on p9 simply should update their kernels. No world update is required.

The SIOCSIFINFO_IN6 ioctl is missing a necessary permissions check. Don't let everyone on the planet (with local access) change the properties on the ipv6 interfaces.

anonymous pipes:
Stop unprivileged processes from reading pages of memory belonging to other processes with anonymous pipes.

0.3-Current users can verify they have the patch by checking sysctl kern.osreldate. If the value is 3005 or better, you have the patch.

May 21, 2009

This fix is only in configuration files for ssh and sshd. Users on p8 should simply add

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc
to their configuration files for sshd_config and ssh_config in etc/ssh

April 22, 2009

The function ASN1_STRING_print_ex does not properly validate the lengths of BMPString or UniversalString objects before attempting to print them. MidnightBSD 0.2.1-RELEASE-p8 and 0.3-CURRENT include this fix.

March 26, 2009

Update for sudo that corrects several outstanding security advisories. This was corrected in 0.2.1-RELEASE-p7 and 0.3-CURRENT. 0.1.x is no longer receiving security patches. It is recommended that you upgrade to 0.2.1-RELEASE-p7 when possible.

January 15, 2009

Prevent a DNSSEC attack with BIND. This was corrected in 0.2.1 and 0.3-CURRENT. 0.1.x is no longer receiving security patches. It is recommended that you upgrade to 0.2.1-RELEASE when possible.

January 10, 2009

Fix two issues with MidnightBSD 0.2.1 and 0.3-CURRENT. The first is in OpenSSL and would allow applications that use OpenSSL to interpret an invalid certificate as valid. The second is in lukemftpd(8) that could allow long commands to be split into multiple commands.

December 31, 2008

Correct a problem where bluetooth and netgraph sockets were not initialized properly. This is available in RELENG_0_2, RELENG_0_1, and current.

November 24, 2008

Correct a problem in arc4random which causes the device not to get enough entropy for system services.  Geom classes initialized at startup will still have problems. Update your system to RELENG_0_2 (MidnightBSD 0.2.1-p3)

September 29, 2008

A vulnerability in ftpd could allow unauthorized access. This is network exploitable and affects all versions of MidnightBSD.
Update your system using cvs to RELENG_0_2 or apply the patch on the ftp server in pub/MidnightBSD/patches/0.2.1/patch-ftpd and rebuild ftpd.

Septmeber 4, 2008

ICMPv6 code does not properly check the proposed MTU in the case of a "Packet Too Big Message" Systems without IPV6 support are safe. You may update your systems or block the ICMP traffic from a firewall or router. (CURRENT/RELENG_0_2)

Septmeber 4, 2008

An issue has been reported on systems running MidnightBSD for amd64/emt64 processors. (in 64bit os) This patch was released AFTER 0.2.1-RELEASE. Update systems to RELENG_0_2 or CURRENT to get the fix. From the FreeBSD advisory on the same issue: If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed.

July 11, 2008

Update to bind 9.4.1 p1 to fix the recently reported vulnerability in most dns software. Users of BIND are recommended to update to the latest version in src on RELENG_0_2 or CURRENT, or to obtain a newer version from mports.

May 16, 2008

The Debian project made a patch to openssl causing a defect in the generation of ssh keys. A new utility was added to midnightbsd to detect these keys and deny them. This was applied to RELENG_0_2 and CURRENT. The utility was obtained from Ubuntu.

April 17, 2008

OpenSSH was updated to 5.0p1 in CURRENT to correct an issue with X11 forwarding. A patch for this issue was committed to RELENG_0_1 as well as a fix for a config file issue.

April 17, 2008

A security issue was found in mksh. This only affected CURRENT users. The software was updated to r33d

April 6, 2008

bzip2 was updated to 1.05 in CURRENT to correct a security issue.

April 3, 2008

A security issue was found with strfmon in libc. CVE-2008-1391 Integer Overflow. This was fixed in CURRENT.

February 15, 2008

CURRENT now has a patch to correct a potential security issue with sendfile. Files were not checked prior to serving which would allow a file that was write only to be served. While this scenario is rare, we decided to fix it anyway.
sendfile is used by many daemons including Apache httpd.

August 1, 2007

BIND and Tcpdump were patched in 0.2 and 0.1 for recent security issues. BIND is now equivalent to 9.3.4p1.

May 2, 2007

CURRENT and STABLE both have the patch for ipv6 type 0 routing headers. The problem is that ipv6 routing headers could be run over the same link multiple times.

March 10, 2007

While many of the DST changes were imported last year, we decided to cover all cases and import the latest tzdata2007c. Users concerned about DST changes should update their sources and rebuild. The java ports may not have DST changes in place. We will review that issue.

January 23, 2007

A "symlink" exploit was found in the MidnightBSD jail system. A fix was made available. Please update your /etc/rc.d/jail file from cvs. Patches will not be created until our first release.