diff options
| author | Mark Felder <feld@FreeBSD.org> | 2016-08-11 21:33:59 +0000 |
|---|---|---|
| committer | Mark Felder <feld@FreeBSD.org> | 2016-08-11 21:33:59 +0000 |
| commit | ec7a9b23a4af77e174b5cf72416fa57adc4c7832 (patch) | |
| tree | 25f6105d125c77730b8357dbd88e17b527117a40 /security | |
| parent | 1872ee6af8eb63dfe38c671a64b88b7019d80663 (diff) | |
Notes
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 575 |
1 files changed, 575 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 95adfe18f7cf..727d190d0995 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,581 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="7d4f4955-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Heap vulnerability in bspatch</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>10.3</ge><lt>10.3_6</lt></range> + <range><ge>10.2</ge><lt>10.2_20</lt></range> + <range><ge>10.1</ge><lt>10.1_37</lt></range> + <range><ge>9.3</ge><lt>9.3_45</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>The implementation of bspatch does not check for a + negative value on numbers of bytes read from the diff and + extra streams, allowing an attacker who can control the + patch file to write at arbitrary locations in the heap.</p> + <p>This issue was first discovered by The Chromium Project + and reported independently by Lu Tung-Pin to the FreeBSD + project.</p> + <h1>Impact:</h1> + <p>An attacker who can control the patch file can cause a + crash or run arbitrary code under the credentials of the + user who runs bspatch, in many cases, root.</p> + </body> + </description> + <references> + <cvename>CVE-2014-9862</cvename> + <freebsdsa>FreeBSD-SA-16:25.bspatch</freebsdsa> + </references> + <dates> + <discovery>2016-07-25</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="7cfcea05-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Multiple vulnerabilities of ntp</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>10.3</ge><lt>10.3_5</lt></range> + <range><ge>10.2</ge><lt>10.2_19</lt></range> + <range><ge>10.1</ge><lt>10.1_36</lt></range> + <range><ge>9.3</ge><lt>9.3_44</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>Multiple vulnerabilities have been discovered in the NTP + suite:</p> + <p>The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that + could cause ntpd to crash. [CVE-2016-4957, Reported by + Nicolas Edet of Cisco]</p> + <p>An attacker who knows the origin timestamp and can send + a spoofed packet containing a CRYPTO-NAK to an ephemeral + peer target before any other response is sent can demobilize + that association. [CVE-2016-4953, Reported by Miroslav + Lichvar of Red Hat]</p> + <p>An attacker who is able to spoof packets with correct + origin timestamps from enough servers before the expected + response packets arrive at the target machine can affect + some peer variables and, for example, cause a false leap + indication to be set. [CVE-2016-4954, Reported by Jakub + Prokes of Red Hat]</p> + <p>An attacker who is able to spoof a packet with a correct + origin timestamp before the expected response packet arrives + at the target machine can send a CRYPTO_NAK or a bad MAC + and cause the association's peer variables to be cleared. + If this can be done often enough, it will prevent that + association from working. [CVE-2016-4955, Reported by + Miroslav Lichvar of Red Hat]</p> + <p>The fix for NtpBug2978 does not cover broadcast associations, + so broadcast clients can be triggered to flip into interleave + mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red + Hat.]</p> + <h1>Impact:</h1> + <p>Malicious remote attackers may be able to break time + synchronization, or cause the ntpd(8) daemon to crash.</p> + </body> + </description> + <references> + <cvename>CVE-2016-4953</cvename> + <cvename>CVE-2016-4954</cvename> + <cvename>CVE-2016-4955</cvename> + <cvename>CVE-2016-4956</cvename> + <cvename>CVE-2016-4957</cvename> + <freebsdsa>FreeBSD-SA-16:24.ntp</freebsdsa> + </references> + <dates> + <discovery>2016-06-04</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="7cad4795-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.3</ge><lt>10.3_4</lt></range> + <range><ge>10.2</ge><lt>10.2_18</lt></range> + <range><ge>10.1</ge><lt>10.1_35</lt></range> + <range><ge>9.3</ge><lt>9.3_43</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>The implementation of historic stat(2) system call does + not clear the output struct before copying it out to + userland.</p> + <h1>Impact:</h1> + <p>An unprivileged user can read a portion of uninitialised + kernel stack data, which may contain sensitive information, + such as the stack guard, portions of the file cache or + terminal buffers, which an attacker might leverage to obtain + elevated privileges.</p> + </body> + </description> + <references> + <freebsdsa>FreeBSD-SA-16:21.43bsd</freebsdsa> + </references> + <dates> + <discovery>2016-05-31</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="7c5d64dd-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Kernel stack disclosure in Linux compatibility layer</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.3</ge><lt>10.3_4</lt></range> + <range><ge>10.2</ge><lt>10.2_18</lt></range> + <range><ge>10.1</ge><lt>10.1_35</lt></range> + <range><ge>9.3</ge><lt>9.3_43</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>The implementation of the TIOCGSERIAL ioctl(2) does not + clear the output struct before copying it out to userland.</p> + <p>The implementation of the Linux sysinfo() system call + does not clear the output struct before copying it out to + userland.</p> + <h1>Impact:</h1> + <p>An unprivileged user can read a portion of uninitialised + kernel stack data, which may contain sensitive information, + such as the stack guard, portions of the file cache or + terminal buffers, which an attacker might leverage to obtain + elevated privileges.</p> + </body> + </description> + <references> + <freebsdsa>FreeBSD-SA-16:20.linux</freebsdsa> + </references> + <dates> + <discovery>2016-05-31</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="7c0bac69-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Incorrect argument handling in sendmsg(2)</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.3</ge><lt>10.3_3</lt></range> + <range><ge>10.2</ge><lt>10.2_17</lt></range> + <range><ge>10.1</ge><lt>10.1_34</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>Incorrect argument handling in the socket code allows + malicious local user to overwrite large portion of the + kernel memory.</p> + <h1>Impact:</h1> + <p>Malicious local user may crash kernel or execute arbitrary + code in the kernel, potentially gaining superuser privileges.</p> + </body> + </description> + <references> + <cvename>CVE-2016-1887</cvename> + <freebsdsa>FreeBSD-SA-16:19.sendmsg</freebsdsa> + </references> + <dates> + <discovery>2016-05-17</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="7bbc0e8c-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Buffer overflow in keyboard driver</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.3</ge><lt>10.3_3</lt></range> + <range><ge>10.2</ge><lt>10.2_17</lt></range> + <range><ge>10.1</ge><lt>10.1_34</lt></range> + <range><ge>9.3</ge><lt>9.3_42</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>Incorrect signedness comparison in the ioctl(2) handler + allows a malicious local user to overwrite a portion of the + kernel memory.</p> + <h1>Impact:</h1> + <p>A local user may crash the kernel, read a portion of + kernel memory and execute arbitrary code in kernel context. + The result of executing an arbitrary kernel code is privilege + escalation.</p> + </body> + </description> + <references> + <cvename>CVE-2016-1886</cvename> + <freebsdsa>FreeBSD-SA-16:18.atkbd</freebsdsa> + </references> + <dates> + <discovery>2016-05-17</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="7b6a11b5-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Incorrect argument validation in sysarch(2)</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.2</ge><lt>10.2_14</lt></range> + <range><ge>10.1</ge><lt>10.1_31</lt></range> + <range><ge>9.3</ge><lt>9.3_39</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>A special combination of sysarch(2) arguments, specify + a request to uninstall a set of descriptors from the LDT. + The start descriptor is cleared and the number of descriptors + are provided. Due to invalid use of a signed intermediate + value in the bounds checking during argument validity + verification, unbound zero'ing of the process LDT and + adjacent memory can be initiated from usermode.</p> + <h1>Impact:</h1> + <p>This vulnerability could cause the kernel to panic. In + addition it is possible to perform a local Denial of Service + against the system by unprivileged processes.</p> + </body> + </description> + <references> + <cvename>CVE-2016-1885</cvename> + <freebsdsa>FreeBSD-SA-16:15.sysarch</freebsdsa> + </references> + <dates> + <discovery>2016-03-16</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="7b1a4a27-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Multiple OpenSSL vulnerabilities</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>10.2</ge><lt>10.2_13</lt></range> + <range><ge>10.1</ge><lt>10.1_30</lt></range> + <range><ge>9.3</ge><lt>9.3_38</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>A cross-protocol attack was discovered that could lead + to decryption of TLS sessions by using a server supporting + SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA + padding oracle. Note that traffic between clients and + non-vulnerable servers can be decrypted provided another + server supporting SSLv2 and EXPORT ciphers (even with a + different protocol such as SMTP, IMAP or POP3) shares the + RSA keys of the non-vulnerable server. This vulnerability + is known as DROWN. [CVE-2016-0800]</p> + <p>A double free bug was discovered when OpenSSL parses + malformed DSA private keys and could lead to a DoS attack + or memory corruption for applications that receive DSA + private keys from untrusted sources. This scenario is + considered rare. [CVE-2016-0705]</p> + <p>The SRP user database lookup method SRP_VBASE_get_by_user + had confusing memory management semantics; the returned + pointer was sometimes newly allocated, and sometimes owned + by the callee. The calling code has no way of distinguishing + these two cases. [CVE-2016-0798]</p> + <p>In the BN_hex2bn function, the number of hex digits is + calculated using an int value |i|. Later |bn_expand| is + called with a value of |i * 4|. For large values of |i| + this can result in |bn_expand| not allocating any memory + because |i * 4| is negative. This can leave the internal + BIGNUM data field as NULL leading to a subsequent NULL + pointer dereference. For very large values of |i|, the + calculation |i * 4| could be a positive value smaller than + |i|. In this case memory is allocated to the internal BIGNUM + data field, but it is insufficiently sized leading to heap + corruption. A similar issue exists in BN_dec2bn. This could + have security consequences if BN_hex2bn/BN_dec2bn is ever + called by user applications with very large untrusted hex/dec + data. This is anticipated to be a rare occurrence. + [CVE-2016-0797]</p> + <p>The internal |fmtstr| function used in processing a "%s" + formatted string in the BIO_*printf functions could overflow + while calculating the length of a string and cause an + out-of-bounds read when printing very long strings. + [CVE-2016-0799]</p> + <p>A side-channel attack was found which makes use of + cache-bank conflicts on the Intel Sandy-Bridge microarchitecture + which could lead to the recovery of RSA keys. [CVE-2016-0702]</p> + <p>s2_srvr.c did not enforce that clear-key-length is 0 for + non-export ciphers. If clear-key bytes are present for these + ciphers, they displace encrypted-key bytes. [CVE-2016-0703]</p> + <p>s2_srvr.c overwrites the wrong bytes in the master key + when applying Bleichenbacher protection for export cipher + suites. [CVE-2016-0704]</p> + <h1>Impact:</h1> + <p>Servers that have SSLv2 protocol enabled are vulnerable + to the "DROWN" attack which allows a remote attacker to + fast attack many recorded TLS connections made to the server, + even when the client did not make any SSLv2 connections + themselves.</p> + <p>An attacker who can supply malformed DSA private keys + to OpenSSL applications may be able to cause memory corruption + which would lead to a Denial of Service condition. + [CVE-2016-0705]</p> + <p>An attacker connecting with an invalid username can cause + memory leak, which could eventually lead to a Denial of + Service condition. [CVE-2016-0798]</p> + <p>An attacker who can inject malformed data into an + application may be able to cause memory corruption which + would lead to a Denial of Service condition. [CVE-2016-0797, + CVE-2016-0799]</p> + <p>A local attacker who has control of code in a thread + running on the same hyper-threaded core as the victim thread + which is performing decryptions could recover RSA keys. + [CVE-2016-0702]</p> + <p>An eavesdropper who can intercept SSLv2 handshake can + conduct an efficient divide-and-conquer key recovery attack + and use the server as an oracle to determine the SSLv2 + master-key, using only 16 connections to the server and + negligible computation. [CVE-2016-0703]</p> + <p>An attacker can use the Bleichenbacher oracle, which + enables more efficient variant of the DROWN attack. + [CVE-2016-0704]</p> + </body> + </description> + <references> + <cvename>CVE-2016-0702</cvename> + <cvename>CVE-2016-0703</cvename> + <cvename>CVE-2016-0704</cvename> + <cvename>CVE-2016-0705</cvename> + <cvename>CVE-2016-0797</cvename> + <cvename>CVE-2016-0798</cvename> + <cvename>CVE-2016-0799</cvename> + <cvename>CVE-2016-0800</cvename> + <freebsdsa>FreeBSD-SA-16:12.openssl</freebsdsa> + </references> + <dates> + <discovery>2016-03-10</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="7ac28df1-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Linux compatibility layer issetugid(2) system call</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.2</ge><lt>10.2_11</lt></range> + <range><ge>10.1</ge><lt>10.1_28</lt></range> + <range><ge>9.3</ge><lt>9.3_35</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>A programming error in the Linux compatibility layer + could cause the issetugid(2) system call to return incorrect + information.</p> + <h1>Impact:</h1> + <p>If an application relies on output of the issetugid(2) + system call and that information is incorrect, this could + lead to a privilege escalation.</p> + </body> + </description> + <references> + <cvename>CVE-2016-1883</cvename> + <freebsdsa>FreeBSD-SA-16:10.linux</freebsdsa> + </references> + <dates> + <discovery>2016-01-27</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="7a31dfba-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Insecure default snmpd.config permissions</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>10.2</ge><lt>10.2_9</lt></range> + <range><ge>10.1</ge><lt>10.1_26</lt></range> + <range><ge>9.3</ge><lt>9.3_33</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>The SNMP protocol supports an authentication model called + USM, which relies on a shared secret. The default permission + of the snmpd.configiguration file, /etc/snmpd.config, is + weak and does not provide adequate protection against local + unprivileged users.</p> + <h1>Impact:</h1> + <p>A local user may be able to read the shared secret, if + configured and used by the system administrator.</p> + </body> + </description> + <references> + <cvename>CVE-2015-5677</cvename> + <freebsdsa>FreeBSD-SA-16:06.bsnmpd</freebsdsa> + </references> + <dates> + <discovery>2016-01-14</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="79dfc135-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- TCP MD5 signature denial of service</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.2</ge><lt>10.2_9</lt></range> + <range><ge>10.1</ge><lt>10.1_26</lt></range> + <range><ge>9.3</ge><lt>9.3_33</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>A programming error in processing a TCP connection with + both TCP_MD5SIG and TCP_NOOPT socket options may lead to + kernel crash.</p> + <h1>Impact:</h1> + <p>A local attacker can crash the kernel, resulting in a + denial-of-service.</p> + <p>A remote attack is theoretically possible, if server has + a listening socket with TCP_NOOPT set, and server is either + out of SYN cache entries, or SYN cache is disabled by + configuration.</p> + </body> + </description> + <references> + <cvename>CVE-2016-1882</cvename> + <freebsdsa>FreeBSD-SA-16:05.tcp</freebsdsa> + </references> + <dates> + <discovery>2016-01-14</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="798f63e0-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Linux compatibility layer setgroups(2) system call</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.2</ge><lt>10.2_9</lt></range> + <range><ge>10.1</ge><lt>10.1_26</lt></range> + <range><ge>9.3</ge><lt>9.3_33</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>A programming error in the Linux compatibility layer + setgroups(2) system call can lead to an unexpected results, + such as overwriting random kernel memory contents.</p> + <h1>Impact:</h1> + <p>It is possible for a local attacker to overwrite portions + of kernel memory, which may result in a privilege escalation + or cause a system panic.</p> + </body> + </description> + <references> + <cvename>CVE-2016-1881</cvename> + <freebsdsa>FreeBSD-SA-16:04.linux</freebsdsa> + </references> + <dates> + <discovery>2016-01-14</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="793fb19c-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Linux compatibility layer incorrect futex handling</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.2</ge><lt>10.2_9</lt></range> + <range><ge>10.1</ge><lt>10.1_26</lt></range> + <range><ge>9.3</ge><lt>9.3_33</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>A programming error in the handling of Linux futex robust + lists may result in incorrect memory locations being + accessed.</p> + <h1>Impact:</h1> + <p>It is possible for a local attacker to read portions of + kernel memory, which may result in a privilege escalation.</p> + </body> + </description> + <references> + <cvename>CVE-2016-1880</cvename> + <freebsdsa>FreeBSD-SA-16:03.linux</freebsdsa> + </references> + <dates> + <discovery>2016-01-14</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="78f06a6c-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- SCTP ICMPv6 error message vulnerability</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.2</ge><lt>10.2_9</lt></range> + <range><ge>10.1</ge><lt>10.1_26</lt></range> + <range><ge>9.3</ge><lt>9.3_33</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>A lack of proper input checks in the ICMPv6 processing + in the SCTP stack can lead to either a failed kernel assertion + or to a NULL pointer dereference. In either case, a kernel + panic will follow.</p> + <h1>Impact:</h1> + <p>A remote, unauthenticated attacker can reliably trigger + a kernel panic in a vulnerable system running IPv6. Any + kernel compiled with both IPv6 and SCTP support is vulnerable. + There is no requirement to have an SCTP socket open.</p> + <p>IPv4 ICMP processing is not impacted by this vulnerability.</p> + </body> + </description> + <references> + <cvename>CVE-2016-1879</cvename> + <freebsdsa>FreeBSD-SA-16:01.sctp</freebsdsa> + </references> + <dates> + <discovery>2016-01-14</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + <vuln vid="0e5d6969-600a-11e6-a6c3-14dae9d210b8"> <topic>FreeBSD -- rpcbind(8) remote denial of service [REVISED]</topic> <affects> |