� Security Updates

mport Software Packages

For third party security advisories related to packages, try the Security Advisory website. To detect vulnerable software packages installed on the system, install the security advisory client. mport install security-advisory-client. Then simply run advisory.pl to check your system.

mport audit can also be used to check for security issues with packages on mport versions included with MidnightBSD 3.0.2 and higher

MidnightBSD Security Advisories

August 2, 2023

MidnightBSD 3.0.2

pam_krb5 authenticates the user by essentially running kinit(1) with the password, getting a `ticket-granting ticket' (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password.

Normally, the system running the pam_krb5 module will also have a keytab, a key provisioned by the KDC. The pam_krb5 module will use the tgt to get a service ticket and validate it against the keytab, ensuring the tgt is valid and therefore, the password is valid.

However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid.

Remove some unused files from contrib that trigger security scanners

April 9, 2023

MidnightBSD 2.2.8

Fix a CVE in the APR used by svnlite CVE-2022-25147

April 3, 2023

MidnightBSD 3.0.1

OpenSSL 1.1.1t

Fix CVE-2020-10188 in telnetd

doas 6.3p9

tzdata 2023c

February 13, 2023

MidnightBSD 2.2.7

tzdata 2022g

November 11, 2022

MidnightBSD 2.2.6

tzdata 2022f

heimdal security patches
CVE-2022-42898 PAC parse integer overflows
CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
CVE-2019-14870 Validate client attributes in protocol-transition
CVE-2019-14870 Apply forwardable policy in protocol-transition
CVE-2019-14870 Always lookup impersonate client in DB

August 31, 2022

MidnightBSD 1.2.11

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field.

August 31, 2022

MidnightBSD 2.2.4

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field.

Update tzdata to 2022c

August 29, 2022

MidnightBSD 2.2.3

Fix a security issue with CAM and when dumping core.

July 2, 2022

MidnightBSD 2.2.1

Fix a resource leak in libmport that could result in a denial of service for other processes.

June 7, 2022

MidnightBSD 2.2.0

Reject execve when new argc is zero. Fixes a security issue with NULL argv[0] entries similar to the recent CVE with polkit on Linux.

April 8, 2022

MidnightBSD 2.1.8

netmap

Fix TOCTOU vulnerability in nmreq_copyin The total size of the user-provided nmreq was first computed and then trusted during the copyin. This might lead to kernel memory corruption and escape from jails/containers. Security: CVE-2022-23084 An unsanitized field in an option could be abused, causing an integer overflow followed by kernel memory corruption. This might be used to escape jails/containers. Security: CVE-2022-23085

April 4, 2022

MidnightBSD 2.1.7

zlib 1.2.12

Fix a deflate bug when using the Z_FIXED strategy that can result in out-of-bound accesses. Fix a deflate bug when the window is full in deflate_stored(). Speed up CRC-32 computations by a factor of 1.5 to 3. Use the hardware CRC-32 instruction on ARMv8 processors. Speed up crc32_combine() with powers of x tables. Add crc32_combine_gen() and crc32_combine_op() for fast combines.

March 20, 2022

MidnightBSD 2.1.6

Fix security vulnerability in OpenSSL and WiFi.

Update tzdata to 2022a

February 10, 2022

MidnightBSD 2.1.5

Fix multiple issues with memory handling in libmport

January 26, 2022

MidnightBSD 2.1.4

Reject execve when new argc is zero
Fixes a security issue with NULL argv[0] entries, similar to the recent CVE with polkit on Linux. The current POC for that does not work on MidnightBSD since we don't use glibc, but proactively prevent similar issues.

January 16, 2022

MidnightBSD 2.1.3

mport package manager (20121217)

Bug fix for HyperV support in windows 2022 server.

Fix register restore for SSE/XMM

November 04, 2021

MidnightBSD 2.1.2

Updated mport 2.2.0 code with bugfixes and new plist features.

Updated tzdata to fix some DST changes in asia

Update root certificates bundle

August 25, 2021

Patch 3 security issues:

Certain VirtIO-based device models failed to handle errors when fetching I/O descriptors. Such errors could be triggered by a malicious guest. As a result, the device model code could be tricked into operating on uninitialized I/O vectors, leading to memory corruption.

The ggatec(8) daemon does not validate the size of a response before writing it to a fixed-sized buffer. This allows to overwrite the stack of ggatec(8).

The passive mode in FTP communication allows an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for *p == '\0' one byte too late because p++ was already performed.

June 30, 2021

A programming error in the Linux compatibility layer futex(2) system call might allow attackers to cause a denial of service.

libcasper(3) creates service processes by forking the calling process, so they initially inherit the calling process' file descriptor table. Casper services expect the lowest 3 file descriptors, traditionally corresponding to standard input, output, and error, are redirected to /dev/null. libcasper(3) ensures this is the case. However, it did not handle the possibility that one of them is closed, and this scenario would trigger an assertion failure during service creation, resulting in a crash.

April 6, 2021

MidnightBSD 2.0.7

Fix two security issues:

A particular case of memory sharing is mishandled in the virtual memory system. It is possible and legal to establish a relationship where multiple descendant processes share a mapping which shadows memory of an ancestor process. In this scenario, when one process modifies memory through such a mapping, the copy-on-write logic fails to invalidate other mappings of the source page. These stale mappings may remain even after the mapped pages have been reused for another purpose.

Due to a race condition between lookup of ".." and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail.

February 24, 2021

MidnightBSD 2.0.6

Happy 15th anniversary to MidnightBSD!

Fix a security issue with pam. The rules would not be applied correctly.

xen fix to unmap correctly when errors occur

February 6, 2021

tzdata 2021a

Fix a extattr corruption bug with ufs

Uninitialized kernel stack leaks in several file systems

Xen guests can triger backend Out Of Memory

December 20, 2020

libarchive 3.5.0

Update caroot certs

unbound 1.13.0

December 2, 2020

ICMPv6: A remote host may be able to trigger a read of freed kernel memory. This may trigger a kernel panic if the address had been unmapped.

tzdata: (2020d imported to fix) An incorrect time will be displayed on a system configured to use one of the affected timezones if the /usr/share/zoneinfo and /etc/localtime files are not updated, and all applications on the system that rely on the system time, such as cron(8) and syslog(8), will be affected.

ipfw: initialize some variables to fix some odd handling with ports.

callout(9) Callouts may be bound to a specific CPU, in which case that CPU is responsible for raising the timer interrupt which schedules execution of the callout. A kernel thread may attempt to stop a callout while it is actively executing, in which case the thread goes to sleep until execution has completed. In the meantime the callout may be re-scheduled and re-executed on a different CPU. In this scenario, when the sleeping thread finally completes removal of the callout from some internal data structures, it may modify the wrong CPU's data structures and thus leave them in an invalid state.

rtsold(8) Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling. First, rtsold(8) failed to perform sufficient bounds checking on the extent of the option. In particular, it does not verify that the option does not extend past the end of the received packet before processing its contents. The kernel currently ignores such malformed packets but still passes them to userspace programs. Second, when processing a DNSSL option, rtsold(8) decodes domain name labels per an encoding specified in RFC 1035 in which the first octet of each label contains the label's length. rtsold(8) did not validate label lengths correctly and could overflow the destination buffer.

A bug in the firstboot script was corrected that referenced an invalid package name.

burncd was removed.

September 23, 2020

MidnightBSD 1.2.10

udf: Validate the full file entry length

Otherwise a corrupted file entry containing invalid extended attribute lengths or allocation descriptor lengths can trigger an overflow when the file entry is loaded. Discovered by: C Turt ecturt@gmail.com

September 15, 2020

MidnightBSD 1.2.9

ftpd
A ftpd(8) bug in the implementation of the file system sandbox, combined with capabilities available to an authenticated FTP user, can be used to escape the file system restriction configured in ftpchroot(5). Moreover, the bug allows a malicious client to gain root privileges.

bhyve
AMD and Intel CPUs support hardware virtualization using specialized data structures that control various aspects of guest operation. These are the Virtual Machine Control Structure (VMCS) on Intel CPUs, and the Virtual Machine Control Block (VMCB) on AMD CPUs. Insufficient access controls allow root users, including those running in a jail, to change these data structures.

A number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions was not trapped.

September 2, 2020

MIDNIGHTBSD-SA-20:01.txt
MIDNIGHTBSD-SA-20:02.txt

Additionally a bug exists in dhclient.

From FreeBSD advisory for CVE-2020-7461
When parsing option 119 data, dhclient(8) computes the uncompressed domain list length so that it can allocate an appropriately sized buffer to store the uncompressed list. The code to compute the length failed to handle certain malformed input, resulting in a heap overflow when the uncompressed list is copied into in inadequately sized buffer.

sctp CVE-2020-7463 - Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.

IPv6 Hop-by-Hop options use-after-free bug CVE-2020-7462 - Due to improper mbuf handling in the kernel, a use-after-free bug might be triggered by sending IPv6 Hop-by-Hop options over the loopback interface.

All of these have been patched in 1.3-CURRENT, and the dhclient issue was corrected in 1.2 stable (1.2.8 release), and 1.3-CURRENT.

August 7, 2020

MidnightBSD 1.2.6 (in git)

A missing length validation code common to these three drivers means that a malicious USB device could write beyond the end of an allocated network packet buffer.

  • smsc(4), supporting SMSC (now Microchip) devices
  • muge(4), supporting Microchip devices
  • cdceem(4), supporting USB Communication Device Class compatible devices

sendmsg security fix

When handling a 32-bit sendmsg(2) call, the compat32 subsystem copies the control message to be transmitted (if any) into kernel memory, and adjusts alignment of control message headers. The code which performs this work contained a time-of-check to time-of-use (TOCTOU) vulnerability which allows a malicious userspace program to modify control message headers after they were validated by the kernel.

July 23, 2020

MidnightBSD 1.2.5 (in git)

Fix a 30 year old bug in mountd.

July 10, 2020

MidnightBSD 1.2.4, 1.1.4 (in git)

update libmport to fix several package installation bugs including permissions not getting set properly and path issues.

July 9, 2020

MidnightBSD 1.2.3 (in git)

Security update for sqlite3. Update to 3.32.3

Update unbound to 1.10.1

May 14, 2020

MidnightBSD 1.2.2 (in git)

Fixed a security issue in libalias.

The FTP packet handler in libalias incorrectly calculates some packet lengths. This may result in disclosing small amounts of memory from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).

Updated tzdata to 2020a.

August 22, 2019

MidnightBSD 1.1.3 (in SVN)

The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer.

System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file.

August 21, 2019

Security patch for CVE-2019-5611.

Due do a missing check in the code of m_pulldown(9) data returned may not be contiguous as requested by the caller.

August 8, 2019

bsnmp - A function extracting the length from type-length-value encoding is not properly validating the submitted length.

OpenSSH 7.9p1 (in 1.2 current), bzip2 1.0.7 in current

July 24, 2019

Fix some buffer overflows in telnet client

The code which handles a close(2) of a descriptor created by posix_openpt(2) fails to undo the configuration which causes SIGIO to be raised. This bug can lead to a write-after-free of kernel memory.

Due to insufficient initialization of memory copied to userland in the components listed above small amounts of kernel memory may be disclosed to userland processes.

January 18, 2019

Updated in current for security issues:

OpenSSH 7.5p1 OpenSSL 1.0.2p Perl 5.28.0

November 30, 2018

ICMP Buffer underwrite fix

September 12, 2018

ELF header security issue Insufficient validation was performed in the ELF header parser, and malformed or otherwise invalid ELF binaries were not rejected as they should be.

August 15, 2018

When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC flag set, the data field was decrypted first without verifying the MIC. When the dta field was encrypted using RC4, for example, when negotiating TKIP as a pairwise cipher, the unauthenticated but decrypted data was subsequently processed. This opened wpa_supplicant(8) to abuse by decryption and recovery of sensitive information contained in EAPOL-Key messages.

See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt for a detailed description of the bug.

August 08, 2017

MidnightBSD 0.8.6 RELEASE

Update em(4) to support skylake and kabylake era Intel NICs.

Update usb(4) to support newer Intel and Asmedia controllers and several new devices.

Heimdal KDC-REP service name validation vulnerability patched.

serf 1.3.9

subversion 1.8.10

December 13, 2016

MidnightBSD 0.8.5 RELEASE

Fix two security issues, telnetd and link_ntoa(3) in libc.

November 5, 2016

MidnightBSD 0.8.4 RELEASE

BIND 9.9.9-p4
OpenSSH 7.3p1

OpenSSL security patch
Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.

October 25, 2016

MidnightBSD 0.8.3 RELEASE

Revised patch to address a problem pointed out by ahaha from Chaitin Tech.

October 1, 2016

MidnightBSD 0.8.2 RELEASE

Fix a regression with OpenSSL security.

Sendmail 8.15.2

September 23, 2016

MidnightBSD 0.8.1 RELEASE

Security Updates for OpenSSL

A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. [CVE-2016-6304]

An overflow can occur in MDC2_Update() either if called directly or through the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. [CVE-2016-6303]

If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a DoS attack where a malformed ticket will result in an OOB read which will ultimately crash. [CVE-2016-6302]

The function BN_bn2dec() does not check the return value of BN_div_word(). This can cause an OOB write if an application uses this function with an overly large BIGNUM. This could be a problem if an overly large certificate or CRL is printed out from an untrusted source. TLS is not affected because record limits will reject an oversized certificate before it is parsed. [CVE-2016-2182]

The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is the total length the OID text representation would use and not the amount of data written. This will result in OOB reads when large OIDs are presented. [CVE-2016-2180]

Some calculations of limits in OpenSSL have used undefined pointer arithmetic. This could cause problems with some malloc implementations. [CVE-2016-2177]

Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. [CVE-2016-2178]

In a DTLS connection where handshake messages are delivered out-of-order those messages that OpenSSL is not yet ready to process will be buffered for later use. Under certain circumstances, a flaw in the logic means that those messages do not get removed from the buffer even though the handshake has been completed. An attacker could force up to approx. 15 messages to remain in the buffer when they are no longer required. These messages will be cleared when the DTLS connection is closed. The default maximum size for a message is 100k. Therefore the attacker could force an additional 1500k to be consumed per connection. [CVE-2016-2179]

A flaw in the DTLS replay attack protection mechanism means that records that arrive for future epochs update the replay protection "window" before the MAC for the record has been validated. This could be exploited by an attacker by sending a record for the next epoch (which does not have to decrypt or have a valid MAC), with a very large sequence number. This means that all subsequent legitimate packets are dropped causing a denial of service for a specific DTLS connection. [CVE-2016-2181]

In OpenSSL 1.0.2 and earlier some missing message length checks can result in OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical DoS risk but this has not been observed in practice on common platforms. [CVE-2016-6306]

May 31, 2016

MidnightBSD 0.7.9 RELEASE

Fix four security issues with MidnightBSD.

The implementation of TIOCGSERIAL ioctl(2) does not clear the output struct before sending to userland in the linux emulation layer.

The compat 43 stat(2) system call exposes kernel stack to userland.

libarchive - CVE-2015-2304 and CVE-2013-0211 fix issues with cpio directory traversal and an integer signedness error in the archive write zip data routine.

May 19, 2016

MidnightBSD 0.7.8 RELEASE

Kernel Security updates

atkbd(4) - Incorrect signedness comparison in the ioctl(2) handler allows a malicious local user to overwrite a portion of the kernel memory.

Incorrect argument handling in sendmsg(2)

Incorrect argument handling in the socket code allows malicious local user to overwrite large portion of the kernel memory.

May 5, 2016

MidnightBSD 0.7.7 RELEASE

OpenSSL security patch

The padding check in AES-NI CBC MAC was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. [CVE-2016-2107]

An overflow can occur in the EVP_EncodeUpdate() function which is used for Base64 encoding of binary data. [CVE-2016-2105]

An overflow can occur in the EVP_EncryptUpdate() function, however it is believed that there can be no overflows in internal code due to this problem. [CVE-2016-2106]

When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() a short invalid encoding can cause allocation of large amounts of memory potentially consuming excessive resources or exhausting memory. [CVE-2016-2109]

March 17, 2016

MidnightBSD 0.7.6 RELEASE

OpenSSH doesn't have the luck of the Irish.

Fix a security issue with OpenSSH X11 forwarding that can allow an attacker run shell commands on the call to xauth.

Incorrect argument validation in sysarch(2)

A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to invalid use of a signed intermediate value in the bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode.
Patch obtained from FreeBSD.

March 10, 2016

MidnightBSD 0.7.5 RELEASE

Security patch for OpenSSL to stop DROWN [CVE-2016-0800] [CVE-2016-0705] [CVE-2016-0798] [CVE-2016-0797] [CVE-2016-0799] [CVE-2016-0702] [CVE-2016-0704]

A programming error in the Linux compatibility layer could cause the issetugid(2) system call to return incorrect information.

January 30, 2016

MidnightBSD 0.7.4 RELEASE

OpenSSL CVE-2015-3197

A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2.

January 14, 2016

OpenSSH

Disable roaming to mitigate a security issue with OpenSSH.

0.7.3 RELEASE

OpenSSL

The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. [CVE-2015-3194]

When presented with a malformed X509_ATTRIBUTE structure, OpenSSL will leak memory. [CVE-2015-3195]

If PSK identity hints are received by a multi-threaded client then the values are incorrectly updated in the parent SSL_CTX structure. [CVE-2015-3196]

linuxolator

A programming error in the Linux compatibility layer setgroups(2) system call can lead to an unexpected results, such as overwriting random kernel memory contents.

A programming error in the handling of Linux futex robust lists may result in incorrect memory locations being accessed.

0.7.2 RELEASE

Fix a security issue with bsnmpd configuration file installation.

TCP MD5 signature denial of service

A programming error in processing a TCP connection with both TCP_MD5SIG and TCP_NOOPT socket options may lead to kernel crash.

SCTP

A lack of proper input checks in the ICMPv6 processing in the SCTP stack can lead to either a failed kernel assertion or to a NULL pointer dereference. In either case, a kernel panic will follow.

September 30, 2015

0.7.1 RELEASE

rpcbind(8) remote denial of service

In rpcbind(8), netbuf structures are copied directly, which would result in two netbuf structures that reference to one shared address buffer. When one of the two netbuf structures is freed, access to the other netbuf structure would result in an undefined result that may crash the rpcbind(8) daemon.

10/2: Revised rpcbind(8) patch to fix issues with NIS

August 25, 2015

0.6.7 RELEASE

Kernel: Fix a security issue on amd64 where the GS segment CPU register can be changed via userland value in kernel mode by using an IRET with #SS or #NP exceptions.

OpenSSH: A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process.

A use-after-free error in the privileged monitor process of he sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process.

A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection.

August 18, 2015

0.6.6 RELEASE

Fix a security vulnerabiity in the expat XML parser.

August 8, 2015

0.6.5 RELEASE

Routed - fix a potential security issue where traffic from outside the network can disrupt routing.

July 28, 2015

0.6.4 RELEASE

TCP Resassembly resource exhaustion bug: There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease.
Obtained from: FreeBSD 8

OpenSSH

Fix two security vulnerabilities: OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. [CVE-2014-2653]

OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts. A bug allows MaxAuthTries to be bypassed. [CVE-2015-5600]

July 22, 2015

0.6.3 RELEASE

Fix a bug where TCP connections transitioning to LAST_ACK state can get stuck. This can result in a denial of service.

June 12, 2015

0.6.1 RELEASE

OpenSSL Security update - new version is OpenSSL 0.9.8zg

March 19, 2015

0.5.10 RELEASE

OpenSSL Security update

A malformed elliptic curve private key file could cause a use-after-free condition in the d2i_ECPrivateKey function. [CVE-2015-0209]

An attempt to compare ASN.1 boolean types will cause the ASN1_TYPE_cmp function to crash with an invalid read. [CVE-2015-0286]

Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. [CVE-2015-0287]

The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. [CVE-2015-0288]

The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. [CVE-2015-0289]

A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. [CVE-2015-0293]

February 25, 2015

0.5.9 RELEASE

Fix two security vulnerabilities.

1. BIND servers which are configured to perform DNSSEC validation and which are using managed keys (which occurs implicitly when using "dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit unpredictable behavior due to the use of an improperly initialized variable.

CVE-2015-1349

2. An integer overflow in computing the size of IGMPv3 data buffer can result in a buffer which is too small for the requested operation.

This can result in a DOS attack.

January 14, 2015

0.5.8 RELEASE

Fix several security issues with OpenSSL.

A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. [CVE-2014-3571]

A memory leak can occur in the dtls1_buffer_record function under certain conditions. [CVE-2015-0206]

When OpenSSL is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. [CVE-2014-3569]

An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. [CVE-2014-3572]

An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. [CVE-2015-0204]

An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. [CVE-2015-0205]

OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. [CVE-2014-8275]

Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. [CVE-2014-3570]

December 11, 2014

0.5.7 RELEASE

Fix a security issue with file and libmagic that can allow an attacker to create a denial of service attack on any program that uses libmagic.

20141109:

Fix perl build during buildworld when the GDBM port is installed.

November 6, 2014

0.5.6 RELEASE

Update timezone data tzdata 2014i

(plus previous security fixes)

Fix two security issues:

1. sshd may link libpthread in the wrong order, shadowing libc functions and causing a possible DOS attack for connecting clients.

2. getlogin may leak kernel memory via a buffer that is copied without clearing.

October 31, 2014

0.5.5 RELEASE

tnftp 20141031 fixes a security vulnerability with tnftp, CVE-2014-8517.

October 27, 2014

0.5.4 RELEASE

libmport fix for packages

October 21, 2014

0.5.3-RELEASE

MidnightBSD 0.5.3-RELEASE is now available via subversion.

Fix several security vulnerabilities in OpenSSL, routed, rtsold, and namei with respect to Capsicum sandboxes looking up nonexistent path names and leaking memory.

OpenSSL update adds some workarounds for the recent poodle vulnerability reported by Google.

The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network.

Due to a missing length check in the code that handles DNS parameters, a malformed router advertisement message can result in a stack buffer overflow in rtsold(8).

In addition, we've released 0.5.2-RELEASE ISOs on the FTP server for both amd64 and i386. We plan to do rollup security releases periodically.

October 11, 2014

0.5.2-RELEASE

Fixed a regression with mksh R50c.

October 4, 2014

0.5.1-RELEASE

Fixed a security issue with mksh. For more details, view the mksh notification .

September 16, 2014

0.4-RELEASE-p15

Fix a security issue with TCP SYN.

When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window.

September 9, 2014

0.4-RELEASE-p14

OpenSSL security patch:

The receipt of a specifically crafted DTLS handshake message may cause OpenSSL to consume large amounts of memory. [CVE-2014-3506]

The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak memory. [CVE-2014-3507]

A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. [CVE-2014-3508]

OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. [CVE-2014-3510]

July 10, 2014

0.4-RELEASE-p13

Fix a vulnerability in the control message API. A buffer is not properly cleared before sharing with userland.

June 5, 2014

0.4-RELEASE-p12

OpenSSL vulnerabilities Receipt of an invalid DTLS fragment on an OpenSSL DTLS client or server can lead to a buffer overrun. [CVE-2014-0195] Receipt of an invalid DTLS handshake on an OpenSSL DTLS client can lead the code to unnecessary recurse. [CVE-2014-0221] Carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. [CVE-2014-0224] Carefully crafted packets can lead to a NULL pointer deference in OpenSSL TLS client code if anonymous ECDH ciphersuites are enabled. [CVE-2014-3470]

June 4, 2014

0.4-RELEASE-p11

Sendmail failed to properly set close-on-exec for open file descriptors.

Ktrace page fault kernel trace entries were set to an incorrect size which resulted in a leak of information.

April 30, 2014

0.4-RELEASE-p10

Fix a TCP reassembly bug that could result in a DOS attack of the system. It may be possible to obtain portions of kernel memory as well.

April 9, 2014

0.4-RELEASE-p9

Fix an issue allowing an attacker to deadlock the NFS Server from a trusted client.

0.4-RELEASE-p8

Fix a security issue in OpenSSL [CVE-2014-0076]

February 1, 2014

0.4-RELEASE-p7

Fix a minor annoyance with the default dot.profile and ssh-agent

January 14, 2014

0.4-RELEASE-p6

Fix two security vulnerabilities. bsnmpd contains a stack overflow when sent certain queries. bind 9.8 when using NSEC3-signed zones zones, will crash with special crafted packets.

November 29, 2013

MidnightBSD 0.4-RELEASE-p5

libc's iconv support includes an optimization that is imcompatible with gettext's msgfmt command. By turning off this optimization, we gain compatiblity with several GNU packages.

September 10, 2013

MidnightBSD 0.4-RELEASE-p4

nullfs(5)

The nullfs(5) implementation of the VOP_LINK(9) VFS operation does not check whether the source and target of the link are both in the same nullfs instance. It is therefore possible to create a hardlink from a location in one nullfs instance to a file in another, as long as the underlying (source) filesystem is the same.

Ifioctl

As is commonly the case, the IPv6 and ATM network layer ioctl request handlers are written in such a way that an unrecognized request is passed on unmodified to the link layer, which will either handle it or return an error code.

Network interface drivers, however, assume that the SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been handled at the network layer, and therefore do not perform input validation or verify the caller's credentials. Typical link-layer actions for these requests may include marking the interface as "up" and resetting the underlying hardware.

Patches obtained from FreeBSD

August 22, 2013

MidnightBSD 0.4-RELEASE-p2

Fix an integer overflow in IP_MSFILTER (IP MULTICAST). This could be exploited to read memory by a user process.

When initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized.

Patches obtained from FreeBSD

July 28, 2013

MidnightBSD 0.4-RELEASE-p1

Vulnerabilities were reported in BIND and NFS Server. BIND has a defect resulting in a possible denial of service attack with malformed rdata in a query. This affects only systems running named and not DNS clients.

For NFS, the kernel incorrectly uses client supplied credentials instead of the one configured in exports(5) when filling out the anonymous credential for a NFS export, when -network or -host restrictions are used at the same time. This patch was obtained from FreeBSD.

June 6, 2012

MidnightBSD 0.3-RELEASE-p9

A vulnerability exists in bind related to resource records. A zero length request can cause bind to crash resulting in a denial of service or disclosure of information.

CVE-2012-1667

May 30, 2012

MidnightBSD 0.3-RELEASE-p8

Fix a problem with cyrpt's DES implementation when used with non 7-bit ascii passwords.

May 30, 2012

MidnightBSD 0.3-RELEASE-p7

An additional problem in OpenSSL was identified related to the previous (p6) patch.

Add SGC and BUF_MEM_grow_clean(3) bug fixes.

May 3, 2012

MidnightBSD 0.3-RELEASE-p6

OpenSSL failes to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. [CVE-2011-4576]

OpenSSL support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack. [CVE-2011-4619]

If an application uses OpenSSL's certificate policy checking when verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK flag, a policy check failure can lead to a double-free. [CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA). [CVE-2012-0884]

The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp functions, in OpenSSL contains multiple integer errors that can cause memory corruption when parsing encoded ASN.1 data. This error can occur on systems that parse untrusted ASN.1 data, such as X.509 certificates or RSA public keys. [CVE-2012-2110]

December 23, 2011

Multiple security vulnerabilities impacting 0.3-RELEASE and 0.4-CURRENT have been patched in MidnightBSD.

  • Telnetd: Fix a root exploit from a fixed buffer that was not checked.
  • PAM: Don't allow escape from policy path. Exploitable in KDE, etc.
  • Fix pam_ssh module: If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys.
  • Fix security issue with chroot and ftpd.
  • Nsdispatch(3) doesn't know it's working in a chroot and some operations can cause files to get reloaded causing a security hole in things like ftpd.

Users should update via CVS and buildworld / installworld. This corresponds to 0.3-RELEASE-p5.

November 4, 2011

MidnightBSD 0.3-RELEASE-p4

Fix a problem with unix socket handling caused by the recent patch to unix socket path handling. This allows network apps to work under the linuxolator again.

September 28, 2011

MidnightBSD 0.3-RELEASE-p3

Security hole in compress and gzip with malformed .Z files can cause an infinite loop in these utilities.

Validate paths for unix domain sockets.

May 30, 2011

0.3-RELEASE and 0.4-CURRENT contain a vulnerable version of BIND 9.6.x. Users who use BIND and a recursive DNS server should update to 0.3-RELEASE-p2. More information can be found at US-CERT

October 12, 2010

0.3-PRERELEASE and 0.4-CURRENT have an issue in all pseudofs based file systems including procfs and linprocfs that either can be used to run code as the kernel or at best crash the system. It's important to update the kernel on systems affected. If you can't do that, disable proc and linproc on your systems until a new kernel can be built. 0.2.1 is not believed to be affected as the code is significantly different and the locking issue is not present.

September 2, 2010

A minor vulnerability in libutil was reported. It can cause uses of some services such as OpenSSH to bypass cpu resource restrictions in 0.3 by use of a custom login.conf. This issue has been fixed today in kern.osreldate 3015 or better.

June 10, 2009

This should be applied to all systems running 0.2.1. Users on p9 simply should update their kernels. No world update is required.

IPV6:
The SIOCSIFINFO_IN6 ioctl is missing a necessary permissions check. Don't let everyone on the planet (with local access) change the properties on the IPV6 interfaces.

Anonymous pipes:
Stop unprivileged processes from reading pages of memory belonging to other processes with anonymous pipes.

0.3-Current users can verify they have the patch by checking sysctl kern.osreldate. If the value is 3005 or better, you have the patch.

May 21, 2009

This fix is only in configuration files for ssh and sshd. Users on p8 should simply add

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc
to their configuration files for sshd_config and ssh_config in etc/ssh

April 22, 2009

The function ASN1_STRING_print_ex does not properly validate the lengths of BMPString or UniversalString objects before attempting to print them. MidnightBSD 0.2.1-RELEASE-p8 and 0.3-CURRENT include this fix.

March 26, 2009

Update for sudo that corrects several outstanding security advisories. This was corrected in 0.2.1-RELEASE-p7 and 0.3-CURRENT. 0.1.x is no longer receiving security patches. It is recommended that you upgrade to 0.2.1-RELEASE-p7 when possible.

January 15, 2009

Prevent a DNSSEC attack with BIND. This was corrected in 0.2.1 and 0.3-CURRENT. 0.1.x is no longer receiving security patches. It is recommended that you upgrade to 0.2.1-RELEASE when possible.

January 10, 2009

Fix two issues with MidnightBSD 0.2.1 and 0.3-CURRENT. The first is in OpenSSL and would allow applications that use OpenSSL to interpret an invalid certificate as valid. The second is in lukemftpd(8) that could allow long commands to be split into multiple commands.

December 31, 2008

Correct a problem where bluetooth and netgraph sockets were not initialized properly. This is available in RELENG_0_2, RELENG_0_1, and current.

November 24, 2008

Correct a problem in arc4random which causes the device not to get enough entropy for system services.  Geom classes initialized at startup will still have problems. Update your system to RELENG_0_2 (MidnightBSD 0.2.1-p3)

September 29, 2008

A vulnerability in ftpd could allow unauthorized access. This is network exploitable and affects all versions of MidnightBSD.
CVE-2008-4247
Update your system using cvs to RELENG_0_2 or apply the patch on the ftp server in pub/MidnightBSD/patches/0.2.1/patch-ftpd and rebuild ftpd.

September 4, 2008

ICMPv6 code does not properly check the proposed MTU in the case of a "Packet Too Big Message" Systems without IPV6 support are safe. You may update your systems or block the ICMP traffic from a firewall or router. (CURRENT/RELENG_0_2)

September 4, 2008

An issue has been reported on systems running MidnightBSD for amd64/emt64 processors. (in 64bit os) This patch was released AFTER 0.2.1-RELEASE. Update systems to RELENG_0_2 or CURRENT to get the fix. From the FreeBSD advisory on the same issue: If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed.

July 11, 2008

Update to bind 9.4.1 p1 to fix the recently reported vulnerability in most dns software. Users of BIND are recommended to update to the latest version in src on RELENG_0_2 or CURRENT, or to obtain a newer version from mports.

May 16, 2008

The Debian project made a patch to openssl causing a defect in the generation of ssh keys. A new utility was added to midnightbsd to detect these keys and deny them. This was applied to RELENG_0_2 and CURRENT. The utility was obtained from Ubuntu.

April 17, 2008

OpenSSH was updated to 5.0p1 in CURRENT to correct an issue with X11 forwarding. A patch for this issue was committed to RELENG_0_1 as well as a fix for a config file issue.

April 17, 2008

A Security issue was found in mksh. This only affected CURRENT users. The software was updated to r33d.

April 6, 2008

Bzip2 was updated to 1.05 in CURRENT to correct a security issue.

April 3, 2008

A security issue was found with strfmon in libc. CVE-2008-1391 Integer Overflow. This was fixed in CURRENT.

February 15, 2008

CURRENT now has a patch to correct a potential security issue with sendfile. Files were not checked prior to serving which would allow a file that was write only to be served. While this scenario is rare, we decided to fix it anyway.
sendfile is used by many daemons including Apache httpd.

August 1, 2007

BIND and Tcpdump were patched in 0.2 and 0.1 for recent security issues. BIND is now equivalent to 9.3.4p1.

May 2, 2007

CURRENT and STABLE both have the patch for IPV6 type 0 routing headers. The problem is that ipv6 routing headers could be run over the same link multiple times.

March 10, 2007

While many of the DST changes were imported last year, we decided to cover all cases and import the latest tzdata2007c. Users concerned about DST changes should update their sources and rebuild. The java ports may not have DST changes in place. We will review that issue.

January 23, 2007

A "symlink" exploit was found in the MidnightBSD jail system. A fix was made available. Please update your /etc/rc.d/jail file from cvs. Patches will not be created until our first release.