Revision
9835 -
Directory Listing
-
[select for diffs]
Modified
Fri May 11 22:22:45 2018 UTC
(6 years, 4 months ago)
by
laffer1
Diff to
previous 9834
,
to
selected 9614
Update mport package manager.
Add enhanced .sample file handling
Introduce basic which command that can tell you what package a file belongs to.
e.g. mport which /usr/local/bin/python
Revision
9834 -
Directory Listing
-
[select for diffs]
Modified
Fri May 11 22:20:52 2018 UTC
(6 years, 4 months ago)
by
laffer1
Diff to
previous 9833
,
to
selected 9614
Update mport package manager.
Add enhanced .sample file handling
Introduce basic which command that can tell you what package a file belongs to.
e.g. mport which /usr/local/bin/python
Revision
9814 -
Directory Listing
-
[select for diffs]
Modified
Wed Apr 4 13:02:08 2018 UTC
(6 years, 5 months ago)
by
laffer1
Diff to
previous 9813
,
to
selected 9614
The length field of the option header does not count the size of the option
header itself. This causes a problem when the length is zero, the count is
then incremented by zero, which causes an infinite loop.
In addition there are pointer/offset mistakes in the handling of IPv4
options.
Obtained from: FreeBSD
Revision
9813 -
Directory Listing
-
[select for diffs]
Modified
Wed Apr 4 13:01:20 2018 UTC
(6 years, 5 months ago)
by
laffer1
Diff to
previous 9803
,
to
selected 9614
The length field of the option header does not count the size of the option
header itself. This causes a problem when the length is zero, the count is
then incremented by zero, which causes an infinite loop.
In addition there are pointer/offset mistakes in the handling of IPv4
options.
Obtained from: FreeBSD
Revision
7727 -
Directory Listing
-
[select for diffs]
Modified
Fri Aug 12 17:14:04 2016 UTC
(8 years, 1 month ago)
by
laffer1
Diff to
previous 7694
,
to
selected 9614
back port changes to how we handle index loads and owner/group/mode and data fixes. this should stop crashes on plists using @owner with no parameters for example
Revision
7546 -
Directory Listing
-
[select for diffs]
Modified
Thu May 5 07:49:43 2016 UTC
(8 years, 4 months ago)
by
laffer1
Diff to
previous 7520
,
to
selected 9614
OpenSSL security patch
The padding check in AES-NI CBC MAC was rewritten to be in constant time
by making sure that always the same bytes are read and compared against
either the MAC or padding bytes. But it no longer checked that there was
enough data to have both the MAC and padding bytes. [CVE-2016-2107]
An overflow can occur in the EVP_EncodeUpdate() function which is used for
Base64 encoding of binary data. [CVE-2016-2105]
An overflow can occur in the EVP_EncryptUpdate() function, however it is
believed that there can be no overflows in internal code due to this problem.
[CVE-2016-2106]
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
a short invalid encoding can casuse allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.
[CVE-2016-2109]
Revision
7470 -
Directory Listing
-
[select for diffs]
Modified
Thu Mar 17 12:47:38 2016 UTC
(8 years, 6 months ago)
by
laffer1
Diff to
previous 7468
,
to
selected 9614
Incorrect argument validation in sysarch(2)
A special combination of sysarch(2) arguments, specify a request to
uninstall a set of descriptors from the LDT. The start descriptor
is cleared and the number of descriptors are provided. Due to invalid
use of a signed intermediate value in the bounds checking during argument
validity verification, unbound zero'ing of the process LDT and adjacent
memory can be initiated from usermode.
Patch obtained from FreeBSD.
Revision
7468 -
Directory Listing
-
[select for diffs]
Modified
Thu Mar 17 12:36:44 2016 UTC
(8 years, 6 months ago)
by
laffer1
Diff to
previous 7465
,
to
selected 9614
MidnightBSD 0.7.6 RELEASE
OpenSSH doesn't have the luck of the Irish.
Fix a security issue with OpenSSH X11 forwarding that can allow an attacker
run shell commands on the call to xauth.
Revision
7463 -
Directory Listing
-
[select for diffs]
Modified
Thu Mar 10 14:09:36 2016 UTC
(8 years, 6 months ago)
by
laffer1
Diff to
previous 7449
,
to
selected 9614
OpenSSL security patch for DROWN
A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle. Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP
or POP3) shares the RSA keys of the non-vulnerable server. This vulnerability
is known as DROWN. [CVE-2016-0800]
A double free bug was discovered when OpenSSL parses malformed DSA private
keys and could lead to a DoS attack or memory corruption for applications that
receive DSA private keys from untrusted sources. This scenario is considered
rare. [CVE-2016-0705]
The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory
management semantics; the returned pointer was sometimes newly allocated, and
sometimes owned by the callee. The calling code has no way of distinguishing
these two cases. [CVE-2016-0798]
In the BN_hex2bn function, the number of hex digits is calculated using an int
value |i|. Later |bn_expand| is called with a value of |i * 4|. For large
values of |i| this can result in |bn_expand| not allocating any memory because
|i * 4| is negative. This can leave the internal BIGNUM data field as NULL
leading to a subsequent NULL pointer dereference. For very large values of
|i|, the calculation |i * 4| could be a positive value smaller than |i|. In
this case memory is allocated to the internal BIGNUM data field, but it is
insufficiently sized leading to heap corruption. A similar issue exists in
BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is
ever called by user applications with very large untrusted hex/dec data. This
is anticipated to be a rare occurrence. [CVE-2016-0797]
The internal |fmtstr| function used in processing a "%s" formatted string in
the BIO_*printf functions could overflow while calculating the length of
a string and cause an out-of-bounds read when printing very long strings.
[CVE-2016-0799]
A side-channel attack was found which makes use of cache-bank conflicts on the
Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA
keys. [CVE-2016-0702]
s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers.
If clear-key bytes are present for these ciphers, they displace encrypted-key
bytes. [CVE-2016-0703]
s2_srvr.c overwrites the wrong bytes in the master key when applying
Bleichenbacher protection for export cipher suites. [CVE-2016-0704]
Obtained from: OpenSSL & FreeBSD
Revision
7439 -
Directory Listing
-
[select for diffs]
Modified
Sat Jan 30 18:07:14 2016 UTC
(8 years, 7 months ago)
by
laffer1
Diff to
previous 7434
,
to
selected 9614
MidnightBSD 0.7.4 RELEASE
OpenSSL CVE-2015-3197
A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
Revision
7422 -
Directory Listing
-
[select for diffs]
Modified
Thu Jan 14 13:43:09 2016 UTC
(8 years, 8 months ago)
by
laffer1
Diff to
previous 7420
,
to
selected 9614
A lack of proper input checks in the ICMPv6 processing in the SCTP stack
can lead to either a failed kernel assertion or to a NULL pointer
dereference. In either case, a kernel panic will follow.
Obtained from: FreeBSD
Revision
7336 -
Directory Listing
-
[select for diffs]
Modified
Wed Sep 30 13:07:57 2015 UTC
(8 years, 11 months ago)
by
laffer1
Diff to
previous 7304
,
to
selected 9614
In rpcbind(8), netbuf structures are copied directly, which would result in
two netbuf structures that reference to one shared address buffer. When one
of the two netbuf structures is freed, access to the other netbuf structure
would result in an undefined result that may crash the rpcbind(8) daemon.
Revision
7196 -
Directory Listing
-
[select for diffs]
Modified
Wed Jul 29 00:38:43 2015 UTC
(9 years, 1 month ago)
by
laffer1
Diff to
previous 7193
,
to
selected 9614
MidnightBSD 0.6.4
OpenSSH
Fix two security vulnerabilities:
OpenSSH clients does not correctly verify DNS SSHFP records when a server
offers a certificate. [CVE-2014-2653]
OpenSSH servers which are configured to allow password authentication
using PAM (default) would allow many password attempts. A bug allows
MaxAuthTries to be bypassed. [CVE-2015-5600]
Revision
7193 -
Directory Listing
-
[select for diffs]
Modified
Wed Jul 29 00:31:36 2015 UTC
(9 years, 1 month ago)
by
laffer1
Diff to
previous 7126
,
to
selected 9614
TCP Resassemly resource exhaustion bug:
There is a mistake with the introduction of VNET, which converted the
global limit on the number of segments that could belong to reassembly
queues into a per-VNET limit. Because mbufs are allocated from a
global pool, in the presence of a sufficient number of VNETs, the
total number of mbufs attached to reassembly queues can grow to the
total number of mbufs in the system, at which point all network
traffic would cease.
Obtained from: FreeBSD 8
Revision
7126 -
Directory Listing
-
[select for diffs]
Modified
Wed Jul 22 15:00:50 2015 UTC
(9 years, 2 months ago)
by
laffer1
Diff to
previous 7064
,
to
selected 9614
MidnightBSD 0.6.3 RELEASE
TCP connections transitioning to the LAST_ACK state can become permanently
stuck due to mishandling of protocol state in certain situations, which in
turn can lead to accumulated consumption and eventual exhaustion of system
resources, such as mbufs and sockets.
Revision
6994 -
Directory Listing
-
[select for diffs]
Modified
Wed Apr 8 01:35:45 2015 UTC
(9 years, 5 months ago)
by
laffer1
Diff to
previous 6990
,
to
selected 9614
0.5.11 RELEASE
Fix two security vulnerabilities:
The previous fix for IGMP had an overflow issue. This has been corrected.
ipv6: The Neighbor Discover Protocol allows a local router to advertise a
suggested Current Hop Limit value of a link, which will replace
Current Hop Limit on an interface connected to the link on the MidnightBSD
system.
Obtained from: FreeBSD
Revision
6964 -
Directory Listing
-
[select for diffs]
Modified
Wed Feb 25 14:32:10 2015 UTC
(9 years, 6 months ago)
by
laffer1
Diff to
previous 6963
,
to
selected 9614
An integer overflow in computing the size of IGMPv3 data buffer can result
in a buffer which is too small for the requested operation.
This can result in a DOS attack.
Revision
6963 -
Directory Listing
-
[select for diffs]
Modified
Wed Feb 25 14:30:33 2015 UTC
(9 years, 6 months ago)
by
laffer1
Diff to
previous 6961
,
to
selected 9614
BIND servers which are configured to perform DNSSEC validation and which
are using managed keys (which occurs implicitly when using
"dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit
unpredictable behavior due to the use of an improperly initialized
variable.
CVE-2015-1349
Revision
6961 -
Directory Listing
-
[select for diffs]
Modified
Wed Jan 14 22:53:09 2015 UTC
(9 years, 8 months ago)
by
laffer1
Diff to
previous 6956
,
to
selected 9614
0.5.8 RELEASE
Fix several security issues with OpenSSL.
A carefully crafted DTLS message can cause a segmentation fault in OpenSSL
due to a NULL pointer dereference. [CVE-2014-3571]
A memory leak can occur in the dtls1_buffer_record function under certain
conditions. [CVE-2015-0206]
When OpenSSL is built with the no-ssl3 option and a SSL v3 ClientHello is
received the ssl method would be set to NULL which could later result in
a NULL pointer dereference. [CVE-2014-3569]
An OpenSSL client will accept a handshake using an ephemeral ECDH
ciphersuite using an ECDSA certificate if the server key exchange message
is omitted. [CVE-2014-3572]
An OpenSSL client will accept the use of an RSA temporary key in a non-export
RSA key exchange ciphersuite. [CVE-2015-0204]
An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. [CVE-2015-0205]
OpenSSL accepts several non-DER-variations of certificate signature
algorithm and signature encodings. OpenSSL also does not enforce a
match between the signature algorithm between the signed and unsigned
portions of the certificate. [CVE-2014-8275]
Bignum squaring (BN_sqr) may produce incorrect results on some
platforms, including x86_64. [CVE-2014-3570]
Revision
6956 -
Directory Listing
-
[select for diffs]
Modified
Thu Dec 11 13:12:26 2014 UTC
(9 years, 9 months ago)
by
laffer1
Diff to
previous 6939
,
to
selected 9614
0.5.7 RELEASE
Fix a security issue with file and libmagic that can allow
an attacker to create a denial of service attack on any
program that uses libmagic.
Revision
6927 -
Directory Listing
-
[select for diffs]
Modified
Wed Nov 5 03:42:01 2014 UTC
(9 years, 10 months ago)
by
laffer1
Diff to
previous 6915
,
to
selected 9614
Fix two security issues:
1. sshd may link libpthread in the wrong order, shadowing libc functions and causing a possible DOS attack for connecting clients.
2. getlogin may leak kernel memory via a buffer that is copied without clearing.
Revision
6881 -
Directory Listing
-
[select for diffs]
Modified
Tue Oct 21 22:19:39 2014 UTC
(9 years, 11 months ago)
by
laffer1
Diff to
previous 6880
,
to
selected 9614
0.5.3 RELEASE
Fix several security vulnerabilities in OpenSSL, routed, rtsold,
and namei with respect to Capsicum sandboxes looking up
nonexistent path names and leaking memory.
OpenSSL update adds some workarounds for the recent
poodle vulnerability reported by Google.
The input path in routed(8) will accept queries from any source and
attempt to answer them. However, the output path assumes that the
destination address for the response is on a directly connected
network.
Due to a missing length check in the code that handles DNS parameters,
a malformed router advertisement message can result in a stack buffer
overflow in rtsold(8).
Revision
6879 -
Directory Listing
-
[select for diffs]
Modified
Tue Oct 21 22:13:27 2014 UTC
(9 years, 11 months ago)
by
laffer1
Diff to
previous 6878
,
to
selected 9614
The input path in routed(8) will accept queries from any source and
attempt to answer them. However, the output path assumes that the
destination address for the response is on a directly connected
network.
Obtained from: FreeBSD
Revision
6878 -
Directory Listing
-
[select for diffs]
Modified
Tue Oct 21 22:12:05 2014 UTC
(9 years, 11 months ago)
by
laffer1
Diff to
previous 6877
,
to
selected 9614
Due to a missing length check in the code that handles DNS parameters,
a malformed router advertisement message can result in a stack buffer
overflow in rtsold(8).
Obtained from: FreeBSD
Revision
6877 -
Directory Listing
-
[select for diffs]
Modified
Tue Oct 21 22:09:49 2014 UTC
(9 years, 11 months ago)
by
laffer1
Diff to
previous 6854
,
to
selected 9614
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. [CVE-2014-3513].
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. [CVE-2014-3567].
The SSL protocol 3.0, as supported in OpenSSL and other products, supports
CBC mode encryption where it could not adequately check the integrity of
padding, because of the use of non-deterministic CBC padding. This
protocol weakness makes it possible for an attacker to obtain clear text
data through a padding-oracle attack.
Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older
servers. This could be exploited by an active man-in-the-middle to
downgrade connections to SSL 3.0 even if both sides of the connection
support higher protocols. SSL 3.0 contains a number of weaknesses
including POODLE [CVE-2014-3566].
OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
to block the ability for a MITM attacker to force a protocol downgrade.
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them. [CVE-2014-3568].
Obtained from: OpenSSL, FreeBSD
Revision
6769 -
Directory Listing
-
[select for diffs]
Modified
Tue Sep 16 23:49:28 2014 UTC
(10 years ago)
by
laffer1
Diff to
previous 6767
,
to
selected 9614
0.4-RELEASE-p15
20140916:
Fix a security issue with TCP SYN.
When a segment with the SYN flag for an already existing connection arrives,
the TCP stack tears down the connection, bypassing a check that the
sequence number in the segment is in the expected window.
Revision
6767 -
Directory Listing
-
[select for diffs]
Modified
Tue Sep 16 23:41:17 2014 UTC
(10 years ago)
by
laffer1
Diff to
previous 6756
,
to
selected 9614
20140916:
Fix a security issue with TCP SYN.
When a segment with the SYN flag for an already existing connection arrives,
the TCP stack tears down the connection, bypassing a check that the
sequence number in the segment is in the expected window.
Obtained from: FreeBSD
Revision
6756 -
Directory Listing
-
[select for diffs]
Modified
Tue Sep 9 23:26:28 2014 UTC
(10 years ago)
by
laffer1
Diff to
previous 6755
,
to
selected 9614
0.4-RELEASE-p14
OpenSSL security patch:
The receipt of a specifically crafted DTLS handshake message may cause OpenSSL
to consume large amounts of memory. [CVE-2014-3506]
The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak
memory. [CVE-2014-3507]
A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from
the stack. [CVE-2014-3508]
OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to
a denial of service attack. [CVE-2014-3510]
Revision
6755 -
Directory Listing
-
[select for diffs]
Modified
Tue Sep 9 23:15:28 2014 UTC
(10 years ago)
by
laffer1
Diff to
previous 6753
,
to
selected 9614
OpenSSL security patch:
The receipt of a specifically crafted DTLS handshake message may cause OpenSSL
to consume large amounts of memory. [CVE-2014-3506]
The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak
memory. [CVE-2014-3507]
A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from
the stack. [CVE-2014-3508]
OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to
a denial of service attack. [CVE-2014-3510]
Revision
6653 -
Directory Listing
-
[select for diffs]
Modified
Wed Apr 30 12:23:07 2014 UTC
(10 years, 4 months ago)
by
laffer1
Diff to
previous 6633
,
to
selected 9614
MidnightBSD 0.4-RELEASE-p10
Fix a TCP reassembly bug that could result in a DOS attack
of the system. It may be possible to obtain portions
of kernel memory as well.