FreeBSD Security Advisory - A programming error in processing a TCP connection with both TCP_MD5SIG and TCP_NOOPT socket options may lead to kernel crash. A local attacker can crash the kernel, resulting in a denial-of-service. A remote attack is theoretically possible, if server has a listening socket with TCP_NOOPT set, and server is either out of SYN cache entries, or SYN cache is disabled by configuration.
aae224887feba54329c62ef5dbccfcd1734ce5544a6b0e2abe2408d83ae2803e
FreeBSD Security Advisory - A programming error in the handling of Linux futex robust lists may result in incorrect memory locations being accessed. It is possible for a local attacker to read portions of kernel memory, which may result in a privilege escalation.
6e71a946b05a4fbf7520e8ab6b55ed26c9e72fb9ef0e53bb0028769e88743e7b
FreeBSD Security Advisory - A programming error in the Linux compatibility layer setgroups(2) system call can lead to an unexpected results, such as overwriting random kernel memory contents. It is possible for a local attacker to overwrite portions of kernel memory, which may result in a privilege escalation or cause a system panic.
cf75e26a6ef0395cbb85b7cf7c6e2b19e6cb888a8f0146ab3ad766b12fd06c13
FreeBSD Security Advisory - An error in the parsing of incoming responses allows some records with an incorrect class to be be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. An attacker who can cause a server to request a record with a malformed class attribute can use this bug to trigger a REQUIRE assertion in db.c, causing named to exit and denying service to clients. The risk to recursive servers is high. Authoritative servers are at limited risk if they perform authentication when making recursive queries to resolve addresses for servers listed in NS RRSETs.
3f66432f8713d26de09e56124d8b800cfcef8c7957a74030786c6c424fe61925
FreeBSD Security Advisory - OpenSSL has had multiple vulnerabilities addressed. The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. When presented with a malformed X509_ATTRIBUTE structure, OpenSSL will leak memory. If PSK identity hints are received by a multi-threaded client then the values are incorrectly updated in the parent SSL_CTX structure.
b3432b7d049cf95d92acc07e43d3ee7a16a360943d384c441f979bc71d8eeae2
FreeBSD Security Advisory - Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication required to mobilize peer associations. FreeBSD 9.3 and 10.1 are not affected. Various other issues have also been addressed.
97daf08486cc4c8cc8703eb625aea225e01f9a851cedc0e7f504b4776cf765dc
FreeBSD Security Advisory - In rpcbind(8), netbuf structures are copied directly, which would result in two netbuf structures that reference to one shared address buffer. When one of the two netbuf structures is freed, access to the other netbuf structure would result in an undefined result that may crash the rpcbind(8) daemon. A remote attacker who can send specifically crafted packets to the rpcbind(8) daemon can cause it to crash, resulting in a denial of service condition.
3878ab5590562a5fd5ca50aa28fff88a0aafae68e4b7788d01ccb77fe3e7103d
FreeBSD Security Advisory - Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. A remote attacker can deliberately trigger the failed assertion which will cause an affected server to terminate, by using a query that requires a response from a zone containing a malformed key, resulting in a denial of service condition. Recursive servers are at greatest risk, however, an authoritative server could also be affected, if an attacker controls a zone that the server must query against to perform its zone service.
19a32d5376ff03333088cddc32b4e99e806201efa92da2f753a45e3f50b0db3c
FreeBSD Security Advisory - If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler. By causing an IRET with #SS or #NP exceptions, a local attacker can cause the kernel to use an arbitrary GS base, which may allow escalated privileges or panic the system.
c96f042a2e1f79016cee3228dd1a6dccfd18fcba578117e9a03af878aee5caf1
FreeBSD Security Advisory - A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process. A use-after-free error in the privileged monitor process of he sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process. A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection.
3a8b1bfd85b5a339a84d61427764656f8de8bc6b1e993e98a5732638aac6f504
HP Security Bulletin HPSBGN03395 1 - A potential security vulnerability has been identified with HP KeyView running on HP-UX, Linux, Solaris, Windows, FreeBSD, and AIX. The vulnerability could be exploited remotely to allow execution of code. Revision 1 of this advisory.
d4943331c6e9bd04dfbd5d772d43f3cfb604cd0b207c5e286fdb599dbf4649c0
HP Security Bulletin HPSBGN03395 1 - A potential security vulnerability has been identified with HP KeyView running on HP-UX, Linux, Solaris, Windows, FreeBSD, and AIX. The vulnerability could be exploited remotely to allow execution of code. Revision 1 of this advisory.
d4943331c6e9bd04dfbd5d772d43f3cfb604cd0b207c5e286fdb599dbf4649c0
FreeBSD Security Advisory - Multiple integer overflows have been discovered in the XML_GetBuffer() function in the expat library.
1bf2e6f9cf139148956ddc5cace6515fc78c0e1fbfbe63d0896601c7485a121a
FreeBSD Security Advisory - Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to pass certain ed(1) scripts to the ed(1) editor, which would run commands.
e51056b21bf1261aca861b5f157bbc4e6a512d1bfac5ac420da3eafded8f669e
FreeBSD Security Advisory - The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network.
6e6f6efe8ccdaea30a1e791ecaa8631267bf969b10fccf2d5ab6051794966af0
FreeBSD Security Advisory - Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch to run commands in addition to the desired SCCS or RCS commands.
a20c17eaa0d678a6581f823ffc677e815ad4e27a81210c150dd342d5e8c22101
FreeBSD Security Advisory - A remote attacker can trigger a crash of a name server. Both recursive and authoritative servers are affected, and the exposure can not be mitigated by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.
846c53d6de99a6145a851883cd99b3ff6c32854a6c9e0c92a215d8bd9d16df91
FreeBSD Security Advisory - OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts.
5a62702946b5a02f2793adee927547243f7fc23df83ae91a601fe9c2411fbd69
FreeBSD Security Advisory - There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease. An attacker who can establish concurrent TCP connections across a sufficient number of VNETs and manipulate the inbound packet streams such that the maximum number of mbufs are enqueued on each reassembly queue can cause mbuf cluster exhaustion on the target system, resulting in a Denial of Service condition. As the default per-VNET limit on the number of segments that can belong to reassembly queues is 1/16 of the total number of mbuf clusters in the system, only systems that have 16 or more VNET instances are vulnerable.
4651dfbd0c91abc16de434dacb94a6bbd086b3657240c2386bbf868ee0921266
FreeBSD Security Advisory - TCP connections transitioning to the LAST_ACK state can become permanently stuck due to mishandling of protocol state in certain situations, which in turn can lead to accumulated consumption and eventual exhaustion of system resources, such as mbufs and sockets.
ca370532c669a959a43a27961c0f51adab4f5da48a536d4759a39ad719cbe9a9
This Metasploit module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below. The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are insufficient checks on the authentication of all clients, this can be bypassed. Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or SYSTEM privileges. The daemon is installed on both the Arkeia server as well on all the backup clients. The module has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD.
7b4c0df3265eff7d8bf05b564fe0ba2fea10cec409923415d3a6df2a68832eed
FreeBSD Security Advisory - During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails, unless the application explicitly specifies X509_V_FLAG_NO_ALT_CHAINS. An error in the implementation of this logic could erroneously mark certificate as trusted when they should not. An attacker could cause certain checks on untrusted certificates, such as the CA (certificate authority) flag, to be bypassed, which would enable them to use a valid leaf certificate to act as a CA and issue an invalid certificate.
7506aba3461e8c1915436a9531f38abc96e09fee2b93caefa87da64dce1a32d3
FreeBSD Security Advisory - BIND 9 is an implementation of the Domain Name System (DNS) protocol. The named daemon is an Internet Domain Name Server. The libdns library is a library of DNS protocol support functions. Due to a software defect, specially constructed zone data could cause named to crash with an assertion failure and rejecting the malformed query when DNSSEC validation is enabled. An attacker who can cause specific queries to be sent to a nameserver could cause named to crash, resulting in a denial of service.
08e7620d8f3528815ea6adf5b08b755493b804636e13bbbcda7678f4beace8a4
FreeBSD Security Advisory - A vulnerability in the TLS protocol would allow a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is also known as Logjam. When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. Various other issues have also been addressed.
0f31d8be8e851db5b69fa3df18252499edec9d5d973028af8019e2d1dedd741b
FreeBSD Security Advisory - The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. The vallen packet value is not validated in several code paths in ntp_crypto.c. When ntpd(8) is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not that there actually is any MAC included, and packets without a MAC are accepted as if they had a valid MAC. NTP state variables are updated prior to validating the received packets.
76984f9165afa07a2ac44484102a158a9baadc4ba9f94cabfb3ef94b8f0fb933