copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0896 - [Debian] kfreebsd-9: Multiple vulnerabilities

Date: 06 June 2014
References: ESB-2014.0552  ESB-2014.0626  ESB-2014.0808  ESB-2014.0950  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0896
                        kfreebsd-9 security update
                                6 June 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kfreebsd-9
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3880 CVE-2014-3000 CVE-2014-1453

Reference:         ESB-2014.0808
                   ESB-2014.0626
                   ESB-2014.0552

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2952

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2952-1                   security@debian.org
http://www.debian.org/security/                                Nico Golde
June 05, 2014                          http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : kfreebsd-9
CVE ID         : CVE-2014-1453 CVE-2014-3000 CVE-2014-3880

Several vulnerabilities have been discovered in the FreeBSD kernel that may
lead to a denial of service or possibly disclosure of kernel memory. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2014-1453

    A remote, authenticated attacker could cause the NFS server become
    deadlocked, resulting in a denial of service.

CVE-2014-3000:

    An attacker who can send a series of specifically crafted packets with a
    connection could cause a denial of service situation by causing the kernel
    to crash.

    Additionally, because the undefined on stack memory may be overwritten by
    other kernel threads, while difficult, it may be possible for an attacker
    to construct a carefully crafted attack to obtain portion of kernel memory
    via a connected socket.  This may result in the disclosure of sensitive
    information such as login credentials, etc. before or even without
    crashing the system.

CVE-2014-3880

    A local attacker can trigger a kernel crash (triple fault) with potential
    data loss, related to the execve/fexecve system calls.
    Reported by Ivo De Decker.

For the stable distribution (wheezy), these problems have been fixed in
version 9.0-10+deb70.7.

For the unstable (sid) and testing (jessie) distributions, these problems are fixed
in kfreebsd-10 version 10.0-6.

We recommend that you upgrade your kfreebsd-9 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJTkRT2AAoJEM1LKvOgoKqqklQP/i/s98hMBshejHW/D+Myrjb+
qLONTB/D1baYwbaqQ4bIJfc7BXbKwoqkPNXWoSTj3ER9u4S6vEfTRWEnayKoxmZw
EqTK6WvE4RtpTr/40kG24FhygE0h+MbFEGducHJ9KUHKmrezzG6tHXdZWjjWE/e8
3oShNGDg1qElU2hz8g84v45I/oMY9R+IgXIEh46jGuVssOhipvzlFVcInujof0ka
lG13ZyeHtwxw+DBspIfTyesUjKIhMGQl7ZiciE/7bItMD8NF5fE3gcU2QLJ8bCky
fOQYyAcFxZz5KG84thusV81Pvsr+3bsq0SS6QfcS5PyS7Dn6AP5WHG81c0GoO6Zm
PUkf1N+BYh6o45qMoE/ElKpB37inh0q+f4bffUzOLrrdW/LWturKljkBu1kRR2QI
SpwyMXn3ELrSliw4UynTxZnJx6ZBGiQvbq0lwgtnXps2+VETNqCLsmzcrtiAIezJ
XhJGWAZIPbZE66cVDpaJS9JprXhngK7M08ALmOIpjLZwwrWJ16j34WBrkzq2/HWB
YmroXtXF+2y86d4ccKcMTfphYL3/ZefhlQYvOrsfFpAMyp6GrUnXSgGlAxHI+a76
WVZJ5+zzyuwW5Eq+dJ/cZg7vJL513d5lR1Hl0Td/SZuXM9SAFXcfdOZMSrKEStav
kGzWGyMrdzRWIUIZV0AE
=LmW/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU5EmwhLndAQH1ShLAQJrchAAlQMGIVLGJdusey7iOD2ZEx6Rux+eTOPF
y0aawMlleFRLE1N/RRojPq3nPlVct+OGhp9MPqymSJtQQ0PzlBZx1xN+5mPdVmFw
kS85XiVSVxvrLB50JIP09iIqzAa5gvklbMuCmpfLFvlzR2COgC2dRL1uz+okDR8Y
+jxC8/2MJ78cFlRJuyxnvotsKIUmdkVjy044PVUueYm2CYK6h3HTrsDGpJwkqtip
cJH97AazKg1JCnORK42fhfRr+inziYzSGAh9/xc09qQ5vgjkRXo36AbYLJAtVZRU
EJ3bBl77/BsbQjy1/hY/RcVQ6ed3U/Vni/4nrvBZr/kpEr9g9gc4fcEa3X96Ixsv
lMpQ2+Ngkf+J8cZsg9zXfFHkbri8WTD085hrYmmi61F+7wHgtdOaxPo23l2aw5tY
u8bAyhtRxbEfmFWAL3ucwhgzHITucNCk1qbm70gifQsvijH4bsc2P8QZM9fy6k5Q
R80foupP2gVGMY5QElDUxL77Udr6XSTLDdMWj3+94MB72MZAFT85bOvXDrVvapwq
Zq80g7WnWPtQvGIeK3KVzmLUH+ckK4kEg7lPlAWNnGig5HlDcRuMHXmi3xY4CLn/
SPKksCg/Kt2CmVs+Ij3LC9i5gOE4jX9NHPlUC525nP/izB4Pjr5IU9uvpw4kOYPZ
376pNDJ1zWY=
=zfrM
-----END PGP SIGNATURE-----