Add missing FreeBSD SA entries from 2014 to vuxml

author: feld <feld@FreeBSD.org> 2016-08-12 05:19:09 +0800
committer: feld <feld@FreeBSD.org> 2016-08-12 05:19:09 +0800
commit: 8a1634d8b03c82b7ffdda08d9a8a53c074a4fe29 (patch)
tree: ed513aefdaf89a7ae85bdc1e2f5d427b7bc005c3 /security
parent: b3e1bcf4f7d37679921acce77f77961eee9cc0b0 (diff)
download: freebsd-ports-gnome-8a1634d8b03c82b7ffdda08d9a8a53c074a4fe29.tar.gz
freebsd-ports-gnome-8a1634d8b03c82b7ffdda08d9a8a53c074a4fe29.tar.zst
freebsd-ports-gnome-8a1634d8b03c82b7ffdda08d9a8a53c074a4fe29.zip
1 files changed, 669 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index d4e65ca6dd9d..4cc7f11fff00 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -58,6 +58,675 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="74ded00e-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- Buffer overflow in stdio</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>10.1</ge><lt>10.1_1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>A programming error in the standard I/O library's
+	__sflush() function could erroneously adjust the buffered
+	stream's internal state even when no write actually occurred
+	in the case when write(2) system call returns an error.</p>
+	<h1>Impact:</h1>
+	<p>The accounting mismatch would accumulate, if the caller
+	does not check for stream status and will eventually lead
+	to a heap buffer overflow.</p>
+	<p>Such overflows may lead to data corruption or the execution
+	of arbitrary code at the privilege level of the calling
+	program.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-8611</cvename>
+      <freebsdsa>FreeBSD-SA-14:27.stdio</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-12-10</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="7488378d-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- Remote command execution in ftp(1)</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>10.0</ge><lt>10.0_12</lt></range>
+	<range><ge>9.3</ge><lt>9.3_5</lt></range>
+	<range><ge>9.2</ge><lt>9.2_15</lt></range>
+	<range><ge>9.1</ge><lt>9.1_22</lt></range>
+	<range><ge>8.4</ge><lt>8.4_19</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>A malicious HTTP server could cause ftp(1) to execute
+	arbitrary commands.</p>
+	<h1>Impact:</h1>
+	<p>When operating on HTTP URIs, the ftp(1) client follows
+	HTTP redirects, and uses the part of the path after the
+	last '/' from the last resource it accesses as the output
+	filename if '-o' is not specified.</p>
+	<p>If the output file name provided by the server begins
+	with a pipe ('|'), the output is passed to popen(3), which
+	might be used to execute arbitrary commands on the ftp(1)
+	client machine.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-8517</cvename>
+      <freebsdsa>FreeBSD-SA-14:26.ftp</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-11-04</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="74389f22-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- Kernel stack disclosure in setlogin(2) / getlogin(2)</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>10.0</ge><lt>10.0_12</lt></range>
+	<range><ge>9.3</ge><lt>9.3_5</lt></range>
+	<range><ge>9.2</ge><lt>9.2_15</lt></range>
+	<range><ge>9.1</ge><lt>9.1_22</lt></range>
+	<range><ge>8.4</ge><lt>8.4_19</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>When setlogin(2) is called while setting up a new login
+	session, the login name is copied into an uninitialized
+	stack buffer, which is then copied into a buffer of the
+	same size in the session structure. The getlogin(2) system
+	call returns the entire buffer rather than just the portion
+	occupied by the login name associated with the session.</p>
+	<h1>Impact:</h1>
+	<p>An unprivileged user can access this memory by calling
+	getlogin(2) and reading beyond the terminating NUL character
+	of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD
+	9 and 10) bytes of kernel memory may be leaked in this
+	manner for each invocation of setlogin(2).</p>
+	<p>This memory may contain sensitive information, such as
+	portions of the file cache or terminal buffers, which an
+	attacker might leverage to obtain elevated privileges.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-8476</cvename>
+      <freebsdsa>FreeBSD-SA-14:25.setlogin</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-11-04</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="73e9a137-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- Denial of service attack against sshd(8)</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>10.0</ge><lt>10.0_12</lt></range>
+	<range><ge>9.2</ge><lt>9.2_15</lt></range>
+	<range><ge>9.1</ge><lt>9.1_22</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>Although OpenSSH is not multithreaded, when OpenSSH is
+	compiled with Kerberos support, the Heimdal libraries bring
+	in the POSIX thread library as a dependency. Due to incorrect
+	library ordering while linking sshd(8), symbols in the C
+	library which are shadowed by the POSIX thread library may
+	not be resolved correctly at run time.</p>
+	<p>Note that this problem is specific to the FreeBSD build
+	system and does not affect other operating systems or the
+	version of OpenSSH available from the FreeBSD ports tree.</p>
+	<h1>Impact:</h1>
+	<p>An incorrectly linked sshd(8) child process may deadlock
+	while handling an incoming connection. The connection may
+	then time out or be interrupted by the client, leaving the
+	deadlocked sshd(8) child process behind. Eventually, the
+	sshd(8) parent process stops accepting new connections.</p>
+	<p>An attacker may take advantage of this by repeatedly
+	connecting and then dropping the connection after having
+	begun, but not completed, the authentication process.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-8475</cvename>
+      <freebsdsa>FreeBSD-SA-14:24.sshd</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-11-04</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="73964eac-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- memory leak in sandboxed namei lookup</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>10.0</ge><lt>10.0_10</lt></range>
+	<range><ge>9.3</ge><lt>9.3_3</lt></range>
+	<range><ge>9.2</ge><lt>9.2_13</lt></range>
+	<range><ge>9.1</ge><lt>9.1_20</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>The namei facility will leak a small amount of kernel
+	memory every time a sandboxed process looks up a nonexistent
+	path name.</p>
+	<h1>Impact:</h1>
+	<p>A remote attacker that can cause a sandboxed process
+	(for instance, a web server) to look up a large number of
+	nonexistent path names can cause memory exhaustion.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-3711</cvename>
+      <freebsdsa>FreeBSD-SA-14:22.namei</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-10-21</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="734233f4-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- routed(8) remote denial of service vulnerability</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>10.0</ge><lt>10.0_10</lt></range>
+	<range><ge>9.3</ge><lt>9.3_3</lt></range>
+	<range><ge>9.2</ge><lt>9.2_13</lt></range>
+	<range><ge>9.1</ge><lt>9.1_20</lt></range>
+	<range><ge>8.4</ge><lt>8.4_17</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>The input path in routed(8) will accept queries from any
+	source and attempt to answer them. However, the output path
+	assumes that the destination address for the response is
+	on a directly connected network.</p>
+	<h1>Impact:</h1>
+	<p>Upon receipt of a query from a source which is not on a
+	directly connected network, routed(8) will trigger an
+	assertion and terminate. The affected system's routing table
+	will no longer be updated. If the affected system is a
+	router, its routes will eventually expire from other routers'
+	routing tables, and its networks will no longer be reachable
+	unless they are also connected to another router.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-3955</cvename>
+      <freebsdsa>FreeBSD-SA-14:21.routed</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-10-21</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="72ee7111-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- rtsold(8) remote buffer overflow vulnerability</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>10.0</ge><lt>10.0_10</lt></range>
+	<range><ge>9.3</ge><lt>9.3_3</lt></range>
+	<range><ge>9.2</ge><lt>9.2_13</lt></range>
+	<range><ge>9.1</ge><lt>9.1_20</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>Due to a missing length check in the code that handles
+	DNS parameters, a malformed router advertisement message
+	can result in a stack buffer overflow in rtsold(8).</p>
+	<h1>Impact:</h1>
+	<p>Receipt of a router advertisement message with a malformed
+	DNSSL option, for instance from a compromised host on the
+	same network, can cause rtsold(8) to crash.</p>
+	<p>While it is theoretically possible to inject code into
+	rtsold(8) through malformed router advertisement messages,
+	it is normally compiled with stack protection enabled,
+	rendering such an attack extremely difficult.</p>
+	<p>When rtsold(8) crashes, the existing DNS configuration
+	will remain in force, and the kernel will continue to receive
+	and process periodic router advertisements.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-3954</cvename>
+      <freebsdsa>FreeBSD-SA-14:20.rtsold</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-10-21</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="729c4a9f-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- Denial of Service in TCP packet processing</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>10.0</ge><lt>10.0_9</lt></range>
+	<range><ge>9.3</ge><lt>9.3_2</lt></range>
+	<range><ge>9.2</ge><lt>9.2_12</lt></range>
+	<range><ge>9.1</ge><lt>9.1_19</lt></range>
+	<range><ge>8.4</ge><lt>8.4_16</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>When a segment with the SYN flag for an already existing
+	connection arrives, the TCP stack tears down the connection,
+	bypassing a check that the sequence number in the segment
+	is in the expected window.</p>
+	<h1>Impact:</h1>
+	<p>An attacker who has the ability to spoof IP traffic can
+	tear down a TCP connection by sending only 2 packets, if
+	they know both TCP port numbers. In case one of the two
+	port numbers is unknown, a successful attack requires less
+	than 2**17 packets spoofed, which can be generated within
+	less than a second on a decent connection to the Internet.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2004-0230</cvename>
+      <freebsdsa>FreeBSD-SA-14:19.tcp</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-09-16</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="7240de58-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- Kernel memory disclosure in control messages and SCTP</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>10.0</ge><lt>10.0_7</lt></range>
+	<range><ge>9.2</ge><lt>9.2_10</lt></range>
+	<range><ge>9.1</ge><lt>9.1_17</lt></range>
+	<range><ge>8.4</ge><lt>8.4_14</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>Buffer between control message header and data may not
+	be completely initialized before being copied to userland.
+	[CVE-2014-3952]</p>
+	<p>Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO,
+	have implicit padding that may not be completely initialized
+	before being copied to userland. In addition, three SCTP
+	notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and
+	SCTP_AUTHENTICATION_EVENT, have padding in the returning
+	data structure that may not be completely initialized before
+	being copied to userland. [CVE-2014-3953]</p>
+	<h1>Impact:</h1>
+	<p>An unprivileged local process may be able to retrieve
+	portion of kernel memory.</p>
+	<p>For the generic control message, the process may be able
+	to retrieve a maximum of 4 bytes of kernel memory.</p>
+	<p>For SCTP, the process may be able to retrieve 2 bytes
+	of kernel memory for all three control messages, plus 92
+	bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the
+	local process is permitted to receive SCTP notification, a
+	maximum of 112 bytes of kernel memory may be returned to
+	userland.</p>
+	<p>This information might be directly useful, or it might
+	be leveraged to obtain elevated privileges in some way. For
+	example, a terminal buffer might include a user-entered
+	password.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-3952</cvename>
+      <cvename>CVE-2014-3953</cvename>
+      <freebsdsa>FreeBSD-SA-14:17.kmem</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-07-08</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="70140f20-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- Multiple vulnerabilities in file(1) and libmagic(3)</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>10.0</ge><lt>10.0_6</lt></range>
+	<range><ge>9.2</ge><lt>9.2_9</lt></range>
+	<range><ge>9.1</ge><lt>9.1_16</lt></range>
+	<range><ge>8.4</ge><lt>8.4_13</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>A specifically crafted Composite Document File (CDF)
+	file can trigger an out-of-bounds read or an invalid pointer
+	dereference. [CVE-2012-1571]</p>
+	<p>A flaw in regular expression in the awk script detector
+	makes use of multiple wildcards with unlimited repetitions.
+	[CVE-2013-7345]</p>
+	<p>A malicious input file could trigger infinite recursion
+	in libmagic(3). [CVE-2014-1943]</p>
+	<p>A specifically crafted Portable Executable (PE) can
+	trigger out-of-bounds read. [CVE-2014-2270]</p>
+	<h1>Impact:</h1>
+	<p>An attacker who can cause file(1) or any other applications
+	using the libmagic(3) library to be run on a maliciously
+	constructed input can the application to crash or consume
+	excessive CPU resources, resulting in a denial-of-service.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2012-1571</cvename>
+      <cvename>CVE-2013-7345</cvename>
+      <cvename>CVE-2014-1943</cvename>
+      <cvename>CVE-2014-2270</cvename>
+      <freebsdsa>FreeBSD-SA-14:16.file</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-06-24</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6f91a709-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- iconv(3) NULL pointer dereference and out-of-bounds array access</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>10.0</ge><lt>10.0_6</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>A NULL pointer dereference in the initialization code
+	of the HZ module and an out of bounds array access in the
+	initialization code of the VIQR module make iconv_open(3)
+	calls involving HZ or VIQR result in an application crash.</p>
+	<h1>Impact:</h1>
+	<p>Services where an attacker can control the arguments of
+	an iconv_open(3) call can be caused to crash resulting in
+	a denial-of-service. For example, an email encoded in HZ
+	may cause an email delivery service to crash if it converts
+	emails to a more generic encoding like UTF-8 before applying
+	filtering rules.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-3951</cvename>
+      <freebsdsa>FreeBSD-SA-14:15.iconv</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-06-24</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6e8f9003-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- Incorrect error handling in PAM policy parser</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>9.2</ge><lt>9.2_7</lt></range>
+	<range><ge>10.0</ge><lt>10.0_4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>The OpenPAM library searches for policy definitions in
+	several locations. While doing so, the absence of a policy
+	file is a soft failure (handled by searching in the next
+	location) while the presence of an invalid file is a hard
+	failure (handled by returning an error to the caller).</p>
+	<p>The policy parser returns the same error code (ENOENT)
+	when a syntactically valid policy references a non-existent
+	module as when the requested policy file does not exist.
+	The search loop regards this as a soft failure and looks
+	for the next similarly-named policy, without discarding the
+	partially-loaded configuration.</p>
+	<p>A similar issue can arise if a policy contains an include
+	directive that refers to a non-existent policy.</p>
+	<h1>Impact:</h1>
+	<p>If a module is removed, or the name of a module is
+	misspelled in the policy file, the PAM library will proceed
+	with a partially loaded configuration. Depending on the
+	exact circumstances, this may result in a fail-open scenario
+	where users are allowed to log in without a password, or
+	with an incorrect password.</p>
+	<p>In particular, if a policy references a module installed
+	by a package or port, and that package or port is being
+	reinstalled or upgraded, there is a brief window of time
+	during which the module is absent and policies that use it
+	may fail open. This can be especially damaging to Internet-facing
+	SSH servers, which are regularly subjected to brute-force
+	scans.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-3879</cvename>
+      <freebsdsa>FreeBSD-SA-14:13.pam</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-06-03</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6e04048b-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- ktrace kernel memory disclosure</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>9.2</ge><lt>9.2_7</lt></range>
+	<range><ge>9.1</ge><lt>9.1_14</lt></range>
+	<range><ge>8.4</ge><lt>8.4_11</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>Due to an overlooked merge to -STABLE branches, the size
+	for page fault kernel trace entries was set incorrectly.</p>
+	<h1>Impact:</h1>
+	<p>A user who can enable kernel process tracing could end
+	up reading the contents of kernel memory.</p>
+	<p>Such memory might contain sensitive information, such
+	as portions of the file cache or terminal buffers. This
+	information might be directly useful, or it might be leveraged
+	to obtain elevated privileges in some way; for example, a
+	terminal buffer might include a user-entered password.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-3873</cvename>
+      <freebsdsa>FreeBSD-SA-14:12.ktrace</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-06-03</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6d9eadaf-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- sendmail improper close-on-exec flag handling</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>10.0</ge><lt>10.0_4</lt></range>
+	<range><ge>9.2</ge><lt>9.2_7</lt></range>
+	<range><ge>9.1</ge><lt>9.1_14</lt></range>
+	<range><ge>8.4</ge><lt>8.4_11</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>There is a programming error in sendmail(8) that prevented
+	open file descriptors have close-on-exec properly set.
+	Consequently a subprocess will be able to access all open
+	files that the parent process have open.</p>
+	<h1>Impact:</h1>
+	<p>A local user who can execute their own program for mail
+	delivery will be able to interfere with an open SMTP
+	connection.</p>
+      </body>
+    </description>
+    <references>
+      <freebsdsa>FreeBSD-SA-14:11.sendmail</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-06-03</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6d472244-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- TCP reassembly vulnerability</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>8.4</ge><lt>8.4_9</lt></range>
+	<range><ge>8.3</ge><lt>8.3_16</lt></range>
+	<range><ge>9.2</ge><lt>9.2_5</lt></range>
+	<range><ge>9.1</ge><lt>9.1_12</lt></range>
+	<range><ge>10.0</ge><lt>10.0_2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>FreeBSD may add a reassemble queue entry on the stack
+	into the segment list when the reassembly queue reaches its
+	limit. The memory from the stack is undefined after the
+	function returns. Subsequent iterations of the reassembly
+	function will attempt to access this entry.</p>
+	<h1>Impact:</h1>
+	<p>An attacker who can send a series of specifically crafted
+	packets with a connection could cause a denial of service
+	situation by causing the kernel to crash.</p>
+	<p>Additionally, because the undefined on stack memory may
+	be overwritten by other kernel threads, while extremely
+	difficult, it may be possible for an attacker to construct
+	a carefully crafted attack to obtain portion of kernel
+	memory via a connected socket. This may result in the
+	disclosure of sensitive information such as login credentials,
+	etc. before or even without crashing the system.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-3000</cvename>
+      <freebsdsa>FreeBSD-SA-14:08.tcp</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-04-30</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6b6ca5b6-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- devfs rules not applied by default for jails</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>10.0</ge><lt>10.0_2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>The default devfs rulesets are not loaded on boot, even
+	when jails are used. Device nodes will be created in the
+	jail with their normal default access permissions, while
+	most of them should be hidden and inaccessible.</p>
+	<h1>Impact:</h1>
+	<p>Jailed processes can get access to restricted resources
+	on the host system. For jailed processes running with
+	superuser privileges this implies access to all devices on
+	the system. This level of access could lead to information
+	leakage and privilege escalation.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-3001</cvename>
+      <freebsdsa>FreeBSD-SA-14:07.devfs</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-04-30</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6a384960-6007-11e6-a6c3-14dae9d210b8">
+    <topic>FreeBSD -- Deadlock in the NFS server</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>10.0</ge><lt>10.0_1</lt></range>
+	<range><ge>9.2</ge><lt>9.2_4</lt></range>
+	<range><ge>9.1</ge><lt>9.1_11</lt></range>
+	<range><ge>8.4</ge><lt>8.4_8</lt></range>
+	<range><ge>8.3</ge><lt>8.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>The kernel holds a lock over the source directory vnode
+	while trying to convert the target directory file handle
+	to a vnode, which needs to be returned with the lock held,
+	too. This order may be in violation of normal lock order,
+	which in conjunction with other threads that grab locks in
+	the right order, constitutes a deadlock condition because
+	no thread can proceed.</p>
+	<h1>Impact:</h1>
+	<p>An attacker on a trusted client could cause the NFS
+	server become deadlocked, resulting in a denial of service.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-1453</cvename>
+      <freebsdsa>FreeBSD-SA-14:05.nfsserver</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2014-04-08</discovery>
+      <entry>2016-08-11</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="4c96ecf2-5fd9-11e6-a6c3-14dae9d210b8">
     <topic>FreeBSD -- bsnmpd remote denial of service vulnerability</topic>
     <affects>
author	feld <feld@FreeBSD.org>	2016-08-12 05:19:09 +0800
committer	feld <feld@FreeBSD.org>	2016-08-12 05:19:09 +0800
commit	8a1634d8b03c82b7ffdda08d9a8a53c074a4fe29 (patch)
tree	ed513aefdaf89a7ae85bdc1e2f5d427b7bc005c3 /security
parent	b3e1bcf4f7d37679921acce77f77961eee9cc0b0 (diff)
download	freebsd-ports-gnome-8a1634d8b03c82b7ffdda08d9a8a53c074a4fe29.tar.gz freebsd-ports-gnome-8a1634d8b03c82b7ffdda08d9a8a53c074a4fe29.tar.zst freebsd-ports-gnome-8a1634d8b03c82b7ffdda08d9a8a53c074a4fe29.zip