May 31, 2016
MidnightBSD 0.7.9 RELEASE
Fix four security issues with MidnightBSD.
The implementation of TIOCGSERIAL ioctl(2) does not clear the output struct before sending to userland in the linux emulation layer.
The compat 43 stat(2) system call exposes kernel stack to userland.
libarchive - CVE-2015-2304 and CVE-2013-0211 fix issues with cpio directory traversal and an integer signedness error in the archive write zip data routine.
May 19, 2016
MidnightBSD 0.7.8 RELEASE
Kernel Security updates
atkbd(4) - Incorrect signedness comparison in the ioctl(2) handler allows a malicious local user to overwrite a portion of the kernel memory.
Incorrect argument handling in sendmsg(2)
Incorrect argument handling in the socket code allows malicious local user to overwrite large portion of the kernel memory.
May 5, 2016
MidnightBSD 0.7.7 RELEASE
OpenSSL security patch
The padding check in AES-NI CBC MAC was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. [CVE-2016-2107]
An overflow can occur in the EVP_EncodeUpdate() function which is used for Base64 encoding of binary data. [CVE-2016-2105]
An overflow can occur in the EVP_EncryptUpdate() function, however it is believed that there can be no overflows in internal code due to this problem. [CVE-2016-2106]
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() a short invalid encoding can cause allocation of large amounts of memory potentially consuming excessive resources or exhausting memory. [CVE-2016-2109]
March 17, 2016
MidnightBSD 0.7.6 RELEASE
OpenSSH doesn't have the luck of the Irish.
Fix a security issue with OpenSSH X11 forwarding that can allow an attacker run shell commands on the call to xauth.
Incorrect argument validation in sysarch(2)
A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to invalid use of a signed intermediate value in the bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode.
Patch obtained from FreeBSD.
March 10, 2016
MidnightBSD 0.7.5 RELEASE
Security patch for OpenSSL to stop DROWN [CVE-2016-0800] [CVE-2016-0705] [CVE-2016-0798] [CVE-2016-0797] [CVE-2016-0799] [CVE-2016-0702] [CVE-2016-0704]
A programming error in the Linux compatibility layer could cause the issetugid(2) system call to return incorrect information.
January 30, 2016
MidnightBSD 0.7.4 RELEASE
A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2.
January 14, 2016
Disable roaming to mitigate a security issue with OpenSSH.
The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. [CVE-2015-3194]
When presented with a malformed X509_ATTRIBUTE structure, OpenSSL will leak memory. [CVE-2015-3195]
If PSK identity hints are received by a multi-threaded client then the values are incorrectly updated in the parent SSL_CTX structure. [CVE-2015-3196]
A programming error in the Linux compatibility layer setgroups(2) system call can lead to an unexpected results, such as overwriting random kernel memory contents.
A programming error in the handling of Linux futex robust lists may result in incorrect memory locations being accessed.
Fix a security issue with bsnmpd configuration file installation.
TCP MD5 signature denial of service
A programming error in processing a TCP connection with both TCP_MD5SIG and TCP_NOOPT socket options may lead to kernel crash.
A lack of proper input checks in the ICMPv6 processing in the SCTP stack can lead to either a failed kernel assertion or to a NULL pointer dereference. In either case, a kernel panic will follow.
September 30, 2015
rpcbind(8) remote denial of service
In rpcbind(8), netbuf structures are copied directly, which would result in two netbuf structures that reference to one shared address buffer. When one of the two netbuf structures is freed, access to the other netbuf structure would result in an undefined result that may crash the rpcbind(8) daemon.
10/2: Revised rpcbind(8) patch to fix issues with NIS
August 25, 2015
kernel: fix a security issue on amd64 where the GS segment CPU register can be changed via userland value in kernel mode by using an IRET with #SS or #NP exceptions.
openssh: A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process.
A use-after-free error in the privileged monitor process of he sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process.
A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection.
August 18, 2015
Fix a security vulnerabiity in the expat XML parser.
August 8, 2015
routed - fix a potential security issue where traffic from outside the network can disrupt routing.
July 28, 2015
TCP Resassemly resource exhaustion bug: There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease.
Obtained from: FreeBSD 8
Fix two security vulnerabilities: OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. [CVE-2014-2653]
OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts. A bug allows MaxAuthTries to be bypassed. [CVE-2015-5600]
July 22, 2015
Fix a bug where TCP connections transitioning to LAST_ACK state can get stuck. This can result in a denial of service.
June 12, 2015
OpenSSL Security update - new version is OpenSSL 0.9.8zg
March 19, 2015
OpenSSL Security update
A malformed elliptic curve private key file could cause a use-after-free condition in the d2i_ECPrivateKey function. [CVE-2015-0209]
An attempt to compare ASN.1 boolean types will cause the ASN1_TYPE_cmp function to crash with an invalid read. [CVE-2015-0286]
Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. [CVE-2015-0287]
The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. [CVE-2015-0288]
The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. [CVE-2015-0289]
A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. [CVE-2015-0293]
February 25, 2015
Fix two security vulnerabilities.
1. BIND servers which are configured to perform DNSSEC validation and which are using managed keys (which occurs implicitly when using "dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit unpredictable behavior due to the use of an improperly initialized variable.
2. An integer overflow in computing the size of IGMPv3 data buffer can result in a buffer which is too small for the requested operation.
This can result in a DOS attack.
January 14, 2015
Fix several security issues with OpenSSL.
A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. [CVE-2014-3571]
A memory leak can occur in the dtls1_buffer_record function under certain conditions. [CVE-2015-0206]
When OpenSSL is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. [CVE-2014-3569]
An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. [CVE-2014-3572]
An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. [CVE-2015-0204]
An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. [CVE-2015-0205]
OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. [CVE-2014-8275]
Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. [CVE-2014-3570]
December 11, 2014
Fix a security issue with file and libmagic that can allow an attacker to create a denial of service attack on any program that uses libmagic.
Fix building perl during buildworld when the GDBM port is installed.
November 6, 2014
Update timezone data tzdata 2014i
(plus previous security fixes)
Fix two security issues:
1. sshd may link libpthread in the wrong order, shadowing libc functions and causing a possible DOS attack for connecting clients.
2. getlogin may leak kernel memory via a buffer that is copied without clearing.
October 31, 2014
tnftp 20141031 fixes a security vulnerability with tnftp, CVE-2014-8517.
October 27, 2014
libmport fix for packages
October 21, 2014
MidnightBSD 0.5.3-RELEASE is now available via subversion.
Fix several security vulnerabilities in OpenSSL, routed, rtsold, and namei with respect to Capsicum sandboxes looking up nonexistent path names and leaking memory.
OpenSSL update adds some workarounds for the recent poodle vulnerability reported by Google.
The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network.
Due to a missing length check in the code that handles DNS parameters, a malformed router advertisement message can result in a stack buffer overflow in rtsold(8).
In addition, we've released 0.5.2-RELEASE ISOs on the FTP server for both amd64 and i386. We plan to do rollup security releases periodically.
October 11, 2014
Fixed a regression with mksh R50c.
October 4, 2014
Fixed a security issue with mksh. For more details, view the mksh notification .
September 16, 2014
Fix a security issue with TCP SYN.
When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window.
September 9, 2014
OpenSSL security patch:
The receipt of a specifically crafted DTLS handshake message may cause OpenSSL to consume large amounts of memory. [CVE-2014-3506]
The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak memory. [CVE-2014-3507]
A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. [CVE-2014-3508]
OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. [CVE-2014-3510]
July 10, 2014
Fix a vulnerability in the control message API. A buffer is not properly cleared before sharing with userland.
June 5, 2014
OpenSSL vulnerabilities Receipt of an invalid DTLS fragment on an OpenSSL DTLS client or server can lead to a buffer overrun. [CVE-2014-0195] Receipt of an invalid DTLS handshake on an OpenSSL DTLS client can lead the code to unnecessary recurse. [CVE-2014-0221] Carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. [CVE-2014-0224] Carefully crafted packets can lead to a NULL pointer deference in OpenSSL TLS client code if anonymous ECDH ciphersuites are enabled. [CVE-2014-3470]
June 4, 2014
Sendmail failed to properly set close-on-exec for open file descriptors.
ktrace page fault kernel trace entries were set to an incorrect size which resulted in a leak of information.
April 30, 2014
Fix a TCP reassembly bug that could result in a DOS attack of the system. It may be possible to obtain portions of kernel memory as well.
April 9, 2014
Fix an issue allowing an attacker to deadlock the NFS Server from a trusted client.
Fix a security issue in OpenSSL [CVE-2014-0076]
February 1, 2014
Fix a minor annoyance with the default dot.profile and ssh-agent
January 14, 2014
Fix two security vulnerabilities. bsnmpd contains a stack overflow when sent certain queries. bind 9.8 when using NSEC3-signed zones zones, will crash with special crafted packets.
November 29, 2013
libc's iconv support includes an optimization that is imcompatible with gettext's msgfmt command. By turning off this optimization, we gain compatiblity with several GNU packages.
September 10, 2013
The nullfs(5) implementation of the VOP_LINK(9) VFS operation does not check whether the source and target of the link are both in the same nullfs instance. It is therefore possible to create a hardlink from a location in one nullfs instance to a file in another, as long as the underlying (source) filesystem is the same.
As is commonly the case, the IPv6 and ATM network layer ioctl request handlers are written in such a way that an unrecognized request is passed on unmodified to the link layer, which will either handle it or return an error code.
Network interface drivers, however, assume that the SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been handled at the network layer, and therefore do not perform input validation or verify the caller's credentials. Typical link-layer actions for these requests may include marking the interface as "up" and resetting the underlying hardware.
Patches obtained from FreeBSD
August 22, 2013
Fix an integer overflow in IP_MSFILTER (IP MULTICAST). This could be exploited to read memory by a user process.
When initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized.
Patches obtained from FreeBSD
July 28, 2013
Vulnerabilities were reported in BIND and NFS Server. BIND has a defect resulting in a possible denial of service attack with malformed rdata in a query. This affects only systems running named and not DNS clients.
For NFS, the kernel incorrectly uses client supplied credentials instead of the one configured in exports(5) when filling out the anonymous credential for a NFS export, when -network or -host restrictions are used at the same time. This patch was obtained from FreeBSD.
June 6, 2012
A vulnerability exists in bind related to resource records. A zero length request can cause bind to crash resulting in a denial of service or disclosure of information.
May 30, 2012
Fix a problem with cyrpt's DES implementation when used with non 7-bit ascii passwords.
May 30, 2012
An additional problem in OpenSSL was identified related to the previous (p6) patch.
add SGC and BUF_MEM_grow_clean(3) bug fixes.
May 3, 2012
OpenSSL failes to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. [CVE-2011-4576]
OpenSSL support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack. [CVE-2011-4619]
If an application uses OpenSSL's certificate policy checking when verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK flag, a policy check failure can lead to a double-free. [CVE-2011-4109]
A weakness in the OpenSSL PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA). [CVE-2012-0884]
The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp functions, in OpenSSL contains multiple integer errors that can cause memory corruption when parsing encoded ASN.1 data. This error can occur on systems that parse untrusted ASN.1 data, such as X.509 certificates or RSA public keys. [CVE-2012-2110]
December 23, 2011
Multiple security vulnerabilities impacting 0.3-RELEASE and 0.4-CURRENT have been patched in MidnightBSD.
- telnetd: fix a root exploit from a fixed buffer that was not checked
- pam: don't allow escape from policy path. Exploitable in KDE, etc.
- Fix pam_ssh module: If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys.
- Fix security issue with chroot and ftpd.
- nsdispatch(3) doesn't know it's working in a chroot and some operations can cause files to get reloaded causing a security hole in things like ftpd.
Users should update via CVS and buildworld / installworld. This corresponds to 0.3-RELEASE-p5.
November 4, 2011
Fix a problem with unix socket handling caused by the recent patch to unix socket path handling. This allows network apps to work under the linuxolator again.
September 28, 2011
Security hole in compress and gzip with malformed .Z files can cause an infinite loop in these utilities.
Validate paths for unix domain sockets.
May 30, 2011
0.3-RELEASE and 0.4-CURRENT contain a vulnerable version of BIND 9.6.x. Users who use BIND and a recursive DNS server should update to 0.3-RELEASE-p2. More information can be found at US-CERT
October 12, 2010
0.3-PRERELEASE and 0.4-CURRENT have an issue in all pseudofs based file systems including procfs and linprocfs that either can be used to run code as the kernel or at best crash the system. It's important to update the kernel on systems affected. If you can't do that, disable proc and linproc on your systems until a new kernel can be built. 0.2.1 is not believed to be affected as the code is significantly different and the locking issue is not present.
September 2, 2010
A minor vulnerability in libutil was reported. It can cause uses of some services such as OpenSSH to bypass cpu resource restrictions in 0.3 by use of a custom login.conf. This issue has been fixed today in kern.osreldate 3015 or better.
June 10, 2009
This should be applied to all systems running 0.2.1. Users on p9 simply should update their kernels. No world update is required.
The SIOCSIFINFO_IN6 ioctl is missing a necessary permissions check. Don't let everyone on the planet (with local access) change the properties on the ipv6 interfaces.
Stop unprivileged processes from reading pages of memory belonging to other processes with anonymous pipes.
0.3-Current users can verify they have the patch by checking sysctl kern.osreldate. If the value is 3005 or better, you have the patch.
May 21, 2009
This fix is only in configuration files for ssh and sshd. Users on p8 should simply addCiphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbcto their configuration files for sshd_config and ssh_config in etc/ssh
April 22, 2009
The function ASN1_STRING_print_ex does not properly validate the lengths of BMPString or UniversalString objects before attempting to print them. MidnightBSD 0.2.1-RELEASE-p8 and 0.3-CURRENT include this fix.
March 26, 2009
Update for sudo that corrects several outstanding security advisories. This was corrected in 0.2.1-RELEASE-p7 and 0.3-CURRENT. 0.1.x is no longer receiving security patches. It is recommended that you upgrade to 0.2.1-RELEASE-p7 when possible.
January 15, 2009
Prevent a DNSSEC attack with BIND. This was corrected in 0.2.1 and 0.3-CURRENT. 0.1.x is no longer receiving security patches. It is recommended that you upgrade to 0.2.1-RELEASE when possible.
January 10, 2009
Fix two issues with MidnightBSD 0.2.1 and 0.3-CURRENT. The first is in OpenSSL and would allow applications that use OpenSSL to interpret an invalid certificate as valid. The second is in lukemftpd(8) that could allow long commands to be split into multiple commands.
December 31, 2008
Correct a problem where bluetooth and netgraph sockets were not initialized properly. This is available in RELENG_0_2, RELENG_0_1, and current.
November 24, 2008
Correct a problem in arc4random which causes the device not to get enough entropy for system services. Geom classes initialized at startup will still have problems. Update your system to RELENG_0_2 (MidnightBSD 0.2.1-p3)
September 29, 2008
A vulnerability in ftpd could allow unauthorized access. This is network exploitable and affects all versions of MidnightBSD.
Update your system using cvs to RELENG_0_2 or apply the patch on the ftp server in pub/MidnightBSD/patches/0.2.1/patch-ftpd and rebuild ftpd.
Septmeber 4, 2008
ICMPv6 code does not properly check the proposed MTU in the case of a "Packet Too Big Message" Systems without IPV6 support are safe. You may update your systems or block the ICMP traffic from a firewall or router. (CURRENT/RELENG_0_2)
Septmeber 4, 2008
An issue has been reported on systems running MidnightBSD for amd64/emt64 processors. (in 64bit os) This patch was released AFTER 0.2.1-RELEASE. Update systems to RELENG_0_2 or CURRENT to get the fix. From the FreeBSD advisory on the same issue: If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed.
July 11, 2008
Update to bind 9.4.1 p1 to fix the recently reported vulnerability in most dns software. Users of BIND are recommended to update to the latest version in src on RELENG_0_2 or CURRENT, or to obtain a newer version from mports.
May 16, 2008
The Debian project made a patch to openssl causing a defect in the generation of ssh keys. A new utility was added to midnightbsd to detect these keys and deny them. This was applied to RELENG_0_2 and CURRENT. The utility was obtained from Ubuntu.
April 17, 2008
OpenSSH was updated to 5.0p1 in CURRENT to correct an issue with X11 forwarding. A patch for this issue was committed to RELENG_0_1 as well as a fix for a config file issue.
April 17, 2008
A security issue was found in mksh. This only affected CURRENT users. The software was updated to r33d
April 6, 2008
bzip2 was updated to 1.05 in CURRENT to correct a security issue.
April 3, 2008
A security issue was found with strfmon in libc. CVE-2008-1391 Integer Overflow. This was fixed in CURRENT.
February 15, 2008
CURRENT now has a patch to correct a potential security issue with sendfile. Files were not checked prior to serving which would allow a file that was write only to be served. While this scenario is rare, we decided to fix it anyway.
sendfile is used by many daemons including Apache httpd.
August 1, 2007
BIND and Tcpdump were patched in 0.2 and 0.1 for recent security issues. BIND is now equivalent to 9.3.4p1.
May 2, 2007
CURRENT and STABLE both have the patch for ipv6 type 0 routing headers. The problem is that ipv6 routing headers could be run over the same link multiple times.
March 10, 2007
While many of the DST changes were imported last year, we decided to cover all cases and import the latest tzdata2007c. Users concerned about DST changes should update their sources and rebuild. The java ports may not have DST changes in place. We will review that issue.
January 23, 2007
A "symlink" exploit was found in the MidnightBSD jail system. A fix was made available. Please update your /etc/rc.d/jail file from cvs. Patches will not be created until our first release.