FreeBSD, NetBSD Security Vulnerabilities

Denial Of Service (DoS) Through Memory Consumption

OpenSSL is vulnerable to denial of service (DoS) attacks. These attacks are possible because there is a memory leak in the tls_decrypt_ticket function which can be triggered through a session...

Access Restriction Bypass

OpenSSL is vulnerable to access restriction bypass. This is possible because OpenSSL does not enforce the no-ssl3 build option, which then allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and...

Denial Of Service (DoS) Through Null Pointer Dereference

OpenSSL is vulnerable to denial of service (DoS) attacks. This is caused by the ssl_set_client_disabled function and triggered by a ServerHello message that includes an SRP ciphersuite but no negotiation of that suite with the...

CVE-2016-6253

mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows local users to change ownership of or append data to arbitrary files on the target system via a symlink attack on the user...

CVE-2016-6253

mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows local users to change ownership of or append data to arbitrary files on the target system via a symlink attack on the user...

Code injection

mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows local users to change ownership of or append data to arbitrary files on the target system via a symlink attack on the user...

CVE-2016-6253

mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows local users to change ownership of or append data to arbitrary files on the target system via a symlink attack on the user...

Code injection

CGI handling flaw in bozohttpd in NetBSD 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows remote attackers to execute arbitrary code via crafted arguments, which are handled by a non-CGI aware...

CVE-2015-8212

CGI handling flaw in bozohttpd in NetBSD 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows remote attackers to execute arbitrary code via crafted arguments, which are handled by a non-CGI aware...

CVE-2015-8212

CGI handling flaw in bozohttpd in NetBSD 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows remote attackers to execute arbitrary code via crafted arguments, which are handled by a non-CGI aware...

CVE-2015-8212

CGI handling flaw in bozohttpd in NetBSD 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows remote attackers to execute arbitrary code via crafted arguments, which are handled by a non-CGI aware...

CVE-2015-8212

CGI handling flaw in bozohttpd in NetBSD 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows remote attackers to execute arbitrary code via crafted arguments, which are handled by a non-CGI aware...

Buffer Overflow in BSD libc Library Patched

The BSD libc library was updated recently to address a buffer overflow vulnerability that could have allowed an attacker to execute arbitrary code. The library is part of the POSIX library, which is used in BSD operating systems, like FreeBSD, NetBSD, OpenBSD. The libc library is also used in...

BSD libc contains a buffer overflow vulnerability in link_ntoa()

Overview The BSD libc library'slink_ntoa() function may be vulnerable to a classic buffer overflow. It is currently unclear if this issue is exploitable. Description CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2016-6559 Improper bounds checking of the obuf....

ipsec-tools -- remotely exploitable computational-complexity attack

Robert Foggia via NetBSD GNATS reports: The ipsec-tools racoon daemon contains a remotely exploitable computational complexity attack when parsing and storing isakmp fragments. The implementation permits a remote attacker to exhaust computational resources on the remote endpoint ...

NTP.org ntpd contains multiple denial of service vulnerabilities

Overview NTP.org ntpd versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9 and ntp-4.3.0 up to but not including ntp-4.3.94 contain multiple denial of service vulnerabilities. Description NTP.org's ntpd, versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9 and ntp-4.3.0 up to but not...

tnftp: Arbitrary code execution

Background tnftp is a NetBSD FTP client with several advanced features. Description The fetch_url function in usr.bin/ftp/fetch.c allows remote attackers to execute arbitrary commands via a Impact A remote attacker could possibly execute arbitrary code with the privileges of the process. ...

Lynis 2.4.0 - Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration. Lynis is an open source security...

MatrixSSL contains multiple vulnerabilities

Overview MatrixSSL, version 3.8.5 and earlier, contains heap overflow, out-of-bounds read, and unallocated memory free operation vulnerabilities. Description CWE-122: Heap-based Buffer Overflow - CVE-2016-6890 The Subject Alt Name field of X.509 certificates is not properly parsed. A specially...

Lynis 2.3.4 - Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration. Lynis is an open source security...

NetBSD - 'mail.local(8)' Local Privilege Escalation (Metasploit)

...

NetBSD mail.local - Privilege Escalation (Metasploit)

Exploit for bsd platform in category local...

NetBSD mail.local Privilege Escalation

...

Lynis 2.3.3 - Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration. Lynis is an open source security...

CVE-2016-4973

It was found that targets using gcc's libssp library for Stack Smashing Protection (among others: Cygwin, MinGW, newlib, RTEMS; but not Glibc, Bionic, NetBSD which provide SSP in libc), are missing the Object Size Checking feature, even when explicitly requested with _FORTIFY_SOURCE. Vulnerable...

HTTP CONNECT and 407 Proxy Authentication Required messages are not integrity protected

Overview HTTP CONNECT requests and 407 Proxy Authentication Required messages are not integrity protected and are susceptible to man-in-the-middle attacks. WebKit-based applications are additionally vulnerable to arbitrary HTML markup and JavaScript execution in the context of the originally...

Lynis 2.3.2 - Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration. Lynis is an open source security...

NetBSD mail.local(8) Local Root

...

NetBSD - 'mail.local(8)' Local Privilege Escalation

...

NetBSD - mail.local(8) Local Privilege Escalation

NetBSD - mail.local(8) Local Privilege...

NetBSD mail.local(8) - Privilege Escalation (NetBSD-SA2016-006)

Exploit for bsd platform in category local...

CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables

Overview Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate...

Lynis 2.3.0 - Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration. Lynis is an open source security...

mDNSResponder contains multiple memory-based vulnerabilities

Overview mDNSResponder provides unicast and multicast mDNS services on UNIX-like operating systems such as OS X. mDNSResponder version 379.27 and above prior to version 625.41.2 is vulnerable to several buffer overflow vulnerabilities, as well as a null pointer dereference. Description CWE-120:...

NTP.org ntpd is vulnerable to denial of service and other vulnerabilities

Overview NTP.org's reference implementation of NTP server, ntpd, contains multiple vulnerabilities. Description NTP.org's reference implementation of NTP server, ntpd, contains multiple vulnerabilities. A brief overview follows, but details may be found in NTP's security advisory listing and in...

Debian DLA-491-1 : postgresql-9.1 bugfix update

The PostgreSQL project released a new version of the PostgreSQL 9.1 branch : Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut) This change prevents...

[SECURITY] [DLA 491-1] postgresql-9.1 bugfix update

Package : postgresql-9.1 Version : 9.1.22-0+deb7u1 The PostgreSQL project released a new version of the PostgreSQL 9.1 branch: Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan,...

postgresql-9.1 - bugfix update

The PostgreSQL project released a new version of the PostgreSQL 9.1 branch: Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut) This change prevents problems when...

x86 software guest page walk PS bit handling flaw

ISSUE DESCRIPTION The Page Size (PS) page table entry bit exists at all page table levels other than L1. Its meaning is reserved in L4, and conditionally reserved in L3 and L2 (depending on hardware capabilities). The software page table walker in the hypervisor, however, so far ignored that bit...

Little CMS 2 DefaultICCintents double-free vulnerability

Overview Little CMS 2 contains a double-free vulnerability in the DefaultICCintents function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Little CMS is an open-source color management engine that supports the International Color.....

NTP.org ntpd contains multiple vulnerabilities

Overview The NTP.org reference implementation of ntpd contains multiple vulnerabilities. Description NTP.org's reference implementation of NTP server, ntpd, contains multiple vulnerabilities. CWE-294: Authentication Bypass by Capture-replay - CVE-2015-7973 An attacker on the network can record...

Transparent SSL TLS interception: SSLsplit

Transparent SSL TLS interception: SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. It is intended to be useful for network forensics, application security analysis, web application security testing, network security auditing, penetration testing and...

Nginx Web Application Firewall: NAXSI

NAXSI means Nginx Anti XSS & SQL Injection . Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple (and readable) rules containing 99% of known patterns involved in website...

Lynis 2.2.0 - Security Auditing Tool for Unix/Linux Systems

Lynis is an open source security auditing tool. Commonly used by system administrators, security professionals and auditors, to evaluate the security defenses of their Linux/Unix based systems. It runs on the host itself, so it can perform very extensive security scans. Supported operating systems....

Debian DLA-444-1 : php5 security update

CVE-2015-2305 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression.....

[SECURITY] [DLA 444-1] php5 security update

Package : php5 Version : 5.3.3.1-7+squeeze29 CVE ID : CVE-2015-2305 CVE-2015-2348 CVE-2015-2305 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and...

IKE/IKEv2 protocol implementations may allow network amplification attacks

Overview Implementations of the IKEv2 protocol are vulnerable to network amplification attacks. Description CWE-406: Insufficient Control of Network Message Volume (Network Amplification) IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios,...

glibc vulnerable to stack buffer overflow in DNS resolver

Overview GNU glibc contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code. Description CWE-121: Stack-based Buffer Overflow - CVE-2015-7547 According to a Google security blog post: "The glibc DNS client side resolver is...

ffmpeg and Libav cross-domain information disclosure vulnerability

Overview ffmpeg is a "cross-platform solution to record, convert and stream audio and video". ffmpeg is vulnerable to local file disclosure due to improper enforcement of domain restrictions when processing playlist files. Description CWE-201: Information Exposure Through Sent Data -...

OpenSSH Client contains a client information leak vulnerability and buffer overflow

Overview OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations. Description CWE-200:...