FreeBSD Security Officer | 1 Dec 02:20 2009
Picon

Upcoming FreeBSD Security Advisory


Hi all,

A short time ago a "local root" exploit was posted to the full-disclosure
mailing list; as the name suggests, this allows a local user to execute
arbitrary code as root.

Normally it is the policy of the FreeBSD Security Team to not publicly
discuss security issues until an advisory is ready, but in this case
since exploit code is already widely available I want to make a patch
available ASAP.  Due to the short timeline, it is possible that this
patch will not be the final version which is provided when an advisory
is sent out; it is even possible (although highly doubtful) that this
patch does not fully fix the issue or introduces new issues -- in short,
use at your own risk (even more than usual).

The patch is at
  http://people.freebsd.org/~cperciva/rtld.patch
and has SHA256 hash
  ffcba0c20335dd83e9ac0d0e920faf5b4aedf366ee5a41f548b95027e3b770c1

I expect a full security advisory concerning this issue will go out on
Wednesday December 2nd.
Dan Langille | 1 Dec 03:04 2009

BSDCan 2010

Hello folks,

BSDCan 2010 will be held 13-14 May, 2010 in Ottawa at the University of
Ottawa. It will be preceded by two days of tutorials on 11-12 May.

We are now accepting proposals for talks.

The talks should be designed with a very strong technical content bias.
Proposals of a business development or marketing nature are not
appropriate for this venue.

If you are doing something interesting with a BSD operating system,
please submit a proposal. Whether you are developing a very complex
system using BSD as the foundation, or helping others and have a story
to tell about how BSD played a role, we want to hear about your
experience.  People using BSD as a platform for research are also
encouraged to submit a proposal. Possible topics include:

* How we manage a giant installation with respect to handling spam.
* and/or sysadmin.
* and/or networking.

 From the BSDCan website, the Archives section will allow you to review
the wide variety of past BSDCan presentations as further examples.

Both users and developers are encouraged to share their experiences.

The schedule is:

19 Dec 2009 Proposal acceptance begins
(Continue reading)

Picon

FreeBSD Security Advisory FreeBSD-SA-09:15.ssl


=============================================================================
FreeBSD-SA-09:15.ssl                                        Security Advisory
                                                          The FreeBSD Project

Topic:          SSL protocol flaw

Category:       contrib
Module:         openssl
Announced:      2009-12-03
Credits:        Marsh Ray, Steve Dispensa
Affects:        All supported versions of FreeBSD.
Corrected:      2009-12-03 09:18:40 UTC (RELENG_8, 8.0-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1)
                2009-12-03 09:18:40 UTC (RELENG_7, 7.2-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5)
                2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9)
                2009-12-03 09:18:40 UTC (RELENG_6, 6.4-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_6_4, 6.4-RELEASE-p8)
                2009-12-03 09:18:40 UTC (RELENG_6_3, 6.3-RELEASE-p14)
CVE Name:       CVE-2009-3555

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols
provide a secure communications layer over which other protocols can be
(Continue reading)

Picon

FreeBSD Security Advisory FreeBSD-SA-09:16.rtld


=============================================================================
FreeBSD-SA-09:16.rtld                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Improper environment sanitization in rtld(1)

Category:       core
Module:         rtld
Announced:      2009-12-03
Affects:        FreeBSD 7.0 and later.
Corrected:      2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1)
                2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5)
                2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9)
CVE Name:       CVE-2009-4146, CVE-2009-4147

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The run-time link-editor, rtld, links dynamic executable with their
needed libraries at run-time.  It also allows users to explicitly
load libraries via various LD_ environmental variables.

II.  Problem Description

(Continue reading)

Picon

FreeBSD Security Advisory FreeBSD-SA-09:17.freebsd-update


=============================================================================
FreeBSD-SA-09:17.freebsd-update                             Security Advisory
                                                          The FreeBSD Project

Topic:          Inappropriate directory permissions in freebsd-update(8)

Category:       core
Module:         usr.sbin
Announced:      2009-12-03
Credits:        KAMADA Ken'ichi
Affects:        All supported versions of FreeBSD.
Corrected:      2009-12-03 09:18:40 UTC (RELENG_8, 8.0-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1)
                2009-12-03 09:18:40 UTC (RELENG_7, 7.2-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5)
                2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9)
                2009-12-03 09:18:40 UTC (RELENG_6, 6.4-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_6_4, 6.4-RELEASE-p8)
                2009-12-03 09:18:40 UTC (RELENG_6_3, 6.3-RELEASE-p14)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The freebsd-update(8) utility is used to fetch, install, and rollback
updates to the FreeBSD base system, and also to upgrade from one FreeBSD
release to another.
(Continue reading)

Picon

FreeBSD Security Advisory FreeBSD-SA-09:15.ssl [REVISED]


=============================================================================
FreeBSD-SA-09:15.ssl                                        Security Advisory
                                                          The FreeBSD Project

Topic:          SSL protocol flaw

Category:       contrib
Module:         openssl
Announced:      2009-12-03
Credits:        Marsh Ray, Steve Dispensa
Affects:        All supported versions of FreeBSD.
Corrected:      2009-12-03 09:18:40 UTC (RELENG_8, 8.0-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1)
                2009-12-03 09:18:40 UTC (RELENG_7, 7.2-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5)
                2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9)
                2009-12-03 09:18:40 UTC (RELENG_6, 6.4-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_6_4, 6.4-RELEASE-p8)
                2009-12-03 09:18:40 UTC (RELENG_6_3, 6.3-RELEASE-p14)
CVE Name:       CVE-2009-3555

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

0.   Revision History

v1.0 2009-12-03  Initial release.
v1.1 2009-12-03  Corrected instructions in section V.2)b).
(Continue reading)

Deb Goodkin | 17 Dec 21:12 2009

Foundation End-of-Year Fund Raising Drive Update

Dear FreeBSD Community,

We would like to thank everyone who has donated to the FreeBSD
Foundation this year. We have raised $183,888 towards our 2009 goal of
$300,000! We are almost 2/3 of the way to reaching our goal! Oh, and
BTW, we have had 671 donors this year. This is compared to just over 300
this time last year. This is important not only to help us keep our
Public Charity Status, but it shows there are many users who are
passionate about FreeBSD and want to show their support.

With the weakened economy we have been very conservative with our
spending this year. But, like each previous year we have increased the
amount we have spent on the FreeBSD Project and community. We were blown
away with the number of project proposals we received this year. We were
able to fund 7 projects this year. Unfortunately we didn't have the
budget to fund all the proposals we received.

This coming year we want to double the amount we spend on project
development. In order to accomplish this, we need to meet our
fund-raising goal.

Why do we need donations?

The goal of the FreeBSD Project is to provide software that may be used
for any purpose -- and without strings attached.  Our mission is to
support the FreeBSD Project and community. Our funding comes from people
like you – those who are determined to keep FreeBSD free!

How have we spent the money this year?

(Continue reading)

Matt Olander | 24 Dec 01:28 2009

FreeBSD Mall now shipping 8.0

Happy holidays, everyone!

FreeBSD Mall, Inc. is happy to announce the availability of FreeBSD
8.0-based products.  The four CD set and DVD are now shipping to
subscribers around the world.

If you haven't yet placed your order, you may do so at
http://www.freebsdmall.com.

You may also elect to start your subscription with the latest release.
Sit back and relax while each new release of FreeBSD is delivered
straight to your door.

In addition to CD and DVD products and toolkit, we also have a large
collection of FreeBSD shirts, hats, jackets, boxer shorts, stickers,
case-plates, mouse pads, and other promotional materials.

Thanks and enjoy!

-matt
_______________________________________________
freebsd-announce <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe <at> freebsd.org"

Deb Goodkin | 26 Dec 16:53 2009

Foundation's End-of-Year Newsletter

Dear FreeBSD Community,

We are pleased to announce the publication of The FreeBSD Foundation's
End-of-Year Newsletter.

Go to http://www.freebsdfoundation.org/press/2009Dec-newsletter.shtml
to find out how we have supported the FreeBSD Project and community this
year.

BTW, you can still make a donation to the foundation for 2009. Please go 
to http://www.freebsdfoundation.org/donate/ to find out how to make a 
donation.

Sincerely,

The FreeBSD Foundation
_______________________________________________
freebsd-announce <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe <at> freebsd.org"

Deb Goodkin | 30 Dec 21:47 2009
Picon

Foundation End-of-Year Fund Raising Drive Final Plea!

Dear FreeBSD Community,

We want to extend a very sincere thank you to everyone who has made a 
donation this year. Right now in Boulder, Colorado at around 1:30 PM, 
December 30, we have logged $254,000 in donations from 833 donors! We 
are so grateful for all the support.

But, we wanted to make one last plea for donations this year. Our goal 
is $300,000. Please consider making a donation if you haven't already 
made one. Or, better yet, talk to your employer. Though we know most of 
you won't be working tomorrow.

Why make a donation? Right now we're putting together our 2010 budget. 
Our goal for next year is to double our project development spending, 
continue sponsoring BSD-related conferences, sponsor more developers to 
travel to these conferences, and spend more on needed equipment for the 
project.

Here is a list of what we did spend the money on in 2009:

•    Sponsored FreeBSD related conferences like BSDCan, EuroBSDCon,
AsiaBSDCon, KyivBSD, and DCBSDCon.

•    Provided 15 travel grants and funding to individuals to attend
these and other conferences this year.

•    Provided grants for projects that improve FreeBSD, like
wireless mesh support, FreeBSD TCP stack improvements, new console
driver, safe removal of disk devices, flattened device tree, and high
available storage projects.
(Continue reading)


Gmane