Project

General

Profile

Bug #18474

Outdated Packages - Multiple Vulnerabilities

Added by Lee Shin almost 3 years ago. Updated almost 3 years ago.

Status:
Closed: Duplicate
Priority:
Important
Assignee:
Josh Paetzel
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Hi,

a bunch of outdated packages has been picked up by Nessus on my FreeNAS 9.10.1-U2

--------------------------------------------------------------------------------------------------------------------------------------------
MEDIUM FreeBSD : SQLite3 -- Tempdir Selection Vulnerability

Description

KoreLogic security reports :

Affected versions of SQLite reject potential tempdir locations if they are not readable, falling back to '.'. Thus, SQLite will favor e.g.
using cwd for tempfiles on such a system, even if cwd is an unsafe location. Notably, SQLite also checks the permissions of '.', but ignores the results of that check.
Solution

Update the affected package.
See Also

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209827
https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt
http://openwall.com/lists/oss-security/2016/07/01/2
http://www.sqlite.org/cgi/src/info/67985761aa93fb61
http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3
http://www.sqlite.org/cgi/src/info/614bb709d34e1148
http://www.nessus.org/u?b5a2cab5

Output
- Package : sqlite3
Installed version : 3.11.1
Affected version(s) : < 3.13.0

--------------------------------------------------------------------------------------------------------------------------------------------
MEDIUM FreeBSD : Python -- smtplib StartTLS stripping vulnerability

Description

Red Hat reports :

A vulnerability in smtplib allowing MITM attacker to perform a startTLS stripping attack. smtplib does not seem to raise an exception when the remote end (smtp server) is capable of negotiating starttls but fails to respond with 220 (ok) to an explicit call of SMTP.starttls(). This may allow a malicious MITM to perform a startTLS stripping attack if the client code does not explicitly check the response code for startTLS.
Solution

Update the affected packages.
See Also

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772
http://www.nessus.org/u?b53189ca
Output
- Package : python27
Installed version : 2.7.11_3
Affected version(s) : < 2.7.12

--------------------------------------------------------------------------------------------------------------------------------------------
MEDIUM FreeBSD : proftpd -- vulnerability in mod_tls

Description

MITRE reports :

The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which might cause a weaker than intended Diffie-Hellman (DH) key to be used and consequently allow attackers to have unspecified impact via unknown vectors.
Solution

Update the affected packages.
See Also

http://www.nessus.org/u?75bfbae2
Output
- Package : proftpd
Installed version : 1.3.5a_2
Affected version(s) : < 1.3.5b

--------------------------------------------------------------------------------------------------------------------------------------------
MEDIUM FreeBSD : p5-XSLoader -- local arbitrary code execution

Description

Jakub Wilk reports :

XSLoader tries to load code from a subdirectory in the cwd when called inside a string eval
Solution

Update the affected packages.
See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829578
http://www.nessus.org/u?28199099
Output
- Package : perl5
Installed version : 5.20.3_12
Affected version(s) : >= 5.20 < 5.20.3_15

--------------------------------------------------------------------------------------------------------------------------------------------
MEDIUM FreeBSD : libidn -- mulitiple vulnerabilities

Description

Simon Josefsson reports :

libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.

idn: Solve out-of-bounds-read when reading one zero byte as input.
Also replaced fgets with getline.

libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. It was always documented to only accept UTF-8 data, but now it doesn't crash when presented with such data.
Solution

Update the affected package.
See Also

https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html
http://www.openwall.com/lists/oss-security/2016/07/21/4
http://www.nessus.org/u?26a36d89
Output
- Package : libidn
Installed version : 1.31
Affected version(s) : < 1.33

--------------------------------------------------------------------------------------------------------------------------------------------
MEDIUM FreeBSD : collectd -- Network plugin heap overflow

Description

The collectd Project reports :

Emilien Gaspar has identified a heap overflow in collectd's network plugin which can be triggered remotely and is potentially exploitable.
Solution

Update the affected package.
See Also

http://collectd.org/news.shtml#news98
http://www.nessus.org/u?2f30e8bc
Output
- Package : collectd5
Installed version : 5.5.0_5
Affected version(s) : < 5.5.2

--------------------------------------------------------------------------------------------------------------------------------------------
MEDIUM FreeBSD : apache24 -- X509 Client certificate based authentication can be bypassed

Description

Apache Software Foundation reports :

The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509 client certificate correctly when experimental module for the HTTP/2 protocol is used to access a resource.

The net result is that a resource that should require a valid client certificate in order to get access can be accessed without that credential.
Solution

Update the affected package.
See Also

http://www.nessus.org/u?089dcd60
http://www.nessus.org/u?93c5c083
Output
- Package : apache24
Installed version : 2.4.20_1
Affected version(s) : >= 2.4.18 < 2.4.23


Related issues

Is duplicate of FreeNAS - Feature #18630: Update to 2016Q4 Ports TreeResolved2016-10-31

History

#1 Updated by Lee Shin almost 3 years ago

  • Subject changed from Outdated Packages - Multiple MEDIUM Vulnerabilities to Outdated Packages - Multiple Vulnerabilities

Some more, ran out of space:

HIGH FreeBSD : X.org libraries -- multiple vulnerabilities

Description

Matthieu Herrb reports :

Tobias Stoeckmann from the OpenBSD project has discovered a number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues. These issue come in addition to the ones discovered by Ilja van Sprundel in 2013.

Most of these issues stem from the client libraries trusting the server to send correct protocol data, and not verifying that the values will not overflow or cause other damage. Most of the time X clients and servers are run by the same user, with the server more privileged than the clients, so this is not a problem, but there are scenarios in which a privileged client can be connected to an unprivileged server, for instance, connecting a setuid X client (such as a screen lock program) to a virtual X server (such as Xvfb or Xephyr) which the user has modified to return invalid data, potentially allowing the user to escalate their privileges.
Solution

Update the affected packages.
See Also

https://lists.x.org/archives/xorg-announce/2016-October/002720.html
http://www.nessus.org/u?c7a7dbd7
Output
- Package : libX11
Installed version : 1.6.3,1
Affected version(s) : < 1.6.4,1

--------------------------------------------------------------------------------------------------------------------------------------------
HIGH FreeBSD : Vulnerabilities in Curl

Description

Curl security team reports :

CVE-2016-5419 - TLS session resumption client cert bypass

CVE-2016-5420 - Re-using connections with wrong client cert

CVE-2016-5421 - use of connection struct after free
Solution

Update the affected package.
See Also

https://curl.haxx.se/docs/adv_20160803A.html
https://curl.haxx.se/docs/adv_20160803B.html
https://curl.haxx.se/docs/adv_20160803C.html
http://www.nessus.org/u?e3096a13
Output
- Package : curl
Installed version : 7.48.0_1
Affected version(s) : >= 7.32.0 < 7.50.1

--------------------------------------------------------------------------------------------------------------------------------------------
HIGH FreeBSD : perl -- local arbitrary code execution

Description

Sawyer X reports :

Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
Solution

Update the affected packages.
See Also

http://www.nessus.org/u?a0f69b2c
http://www.nessus.org/u?c11bde38
Output
- Package : perl5
Installed version : 5.20.3_12
Affected version(s) : >= 5.20 < 5.20.3_14

--------------------------------------------------------------------------------------------------------------------------------------------
HIGH FreeBSD : OpenSSL -- multiple vulnerabilities

Description

OpenSSL reports :

High: OCSP Status Request extension unbounded memory growth

SSL_peek() hang on empty record

SWEET32 Mitigation

OOB write in MDC2_Update()

Malformed SHA512 ticket DoS

OOB write in BN_bn2dec()

OOB read in TS_OBJ_print_bio()

Pointer arithmetic undefined behaviour

Constant time flag not preserved in DSA signing

DTLS buffered message DoS

DTLS replay protection DoS

Certificate message OOB reads

Excessive allocation of memory in tls_get_message_header()

Excessive allocation of memory in dtls1_preprocess_fragment()

NB: LibreSSL is only affected by CVE-2016-6304
Solution

Update the affected packages.
See Also

https://www.openssl.org/news/secadv/20160922.txt
http://www.nessus.org/u?701b9caf
Output
- Package : openssl
Installed version : 1.0.2_14
Affected version(s) : < 1.0.2i,1

--------------------------------------------------------------------------------------------------------------------------------------------
HIGH FreeBSD : Multiple ports -- Proxy HTTP header vulnerability (httpoxy)

Description

httpoxy.org reports :

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:.

- RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY

- HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability.
Solution

Update the affected packages.
See Also

https://httpoxy.org/
https://www.kb.cert.org/vuls/id/797896
http://www.nessus.org/u?2413f04a
Output
- Package : apache24
Installed version : 2.4.20_1
Affected version(s) : < 2.4.23_1

--------------------------------------------------------------------------------------------------------------------------------------------
HIGH FreeBSD : gnutls -- OCSP validation issue

Description

gnutls.org reports :

Stefan Buhler discovered an issue that affects validation of certificates using OCSP responses, which can falsely report a certificate as valid under certain circumstances.
Solution

Update the affected package.
See Also

https://gnutls.org/security.html#GNUTLS-SA-2016-3
http://www.nessus.org/u?8cea03d0
Output
- Package : gnutls
Installed version : 3.4.10
Affected version(s) : < 3.4.15

--------------------------------------------------------------------------------------------------------------------------------------------
HIGH FreeBSD : gnupg -- attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output

Description

Werner Koch reports :

There was a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions.
Solution

Update the affected packages.
See Also

https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html
http://www.nessus.org/u?00d6df39
Output
- Package : libgcrypt
Installed version : 1.7.1
Affected version(s) : < 1.7.3

--------------------------------------------------------------------------------------------------------------------------------------------
HIGH FreeBSD : cURL -- Escape and unescape integer overflows

Description

The cURL project reports

The four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and curl_easy_unescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments.

The provided string length arguments were not properly checked and due to arithmetic in the functions, passing in the length 0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up causing an allocation of zero bytes of heap memory that curl would attempt to write gigabytes of data into.
Solution

Update the affected package.
See Also

https://curl.haxx.se/docs/adv_20160914.html
http://www.nessus.org/u?8776458c
Output
- Package : curl
Installed version : 7.48.0_1
Affected version(s) : >= 7.11.1 < 7.50.3

--------------------------------------------------------------------------------------------------------------------------------------------
CRITICAL FreeBSD : OpenSSL -- multiple vulnerabilitie

Description

OpenSSL reports :

Critical vulnerability in OpenSSL 1.1.0a Fix Use After Free for large message sizes (CVE-2016-6309)

Moderate vulnerability in OpenSSL 1.0.2i Missing CRL sanity check (CVE-2016-7052)
Solution

Update the affected packages.
See Also

https://www.openssl.org/news/secadv/20160926.txt
http://www.nessus.org/u?b11ff5b1
Output
- Package : openssl
Installed version : 1.0.2_14
Affected version(s) : < 1.0.2j,1

--------------------------------------------------------------------------------------------------------------------------------------------
CRITICAL FreeBSD : libxml2 -- multiple vulnabilities

Description

Daniel Veillard reports :

More format string warnings with possible format string vulnerability (David Kilzer)

Avoid building recursive entities (Daniel Veillard)

Heap-based buffer overread in htmlCurrentChar (Pranjal Jumde)

Heap-based buffer-underreads due to xmlParseName (David Kilzer)

Heap use-after-free in xmlSAX2AttributeNs (Pranjal Jumde)

Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral (Pranjal Jumde)

Fix some format string warnings with possible format string vulnerability (David Kilzer)

Detect change of encoding when parsing HTML names (Hugh Davenport)

Fix inappropriate fetch of entities content (Daniel Veillard)

Bug 759398: Heap use-after-free in xmlDictComputeFastKey (Pranjal Jumde)

Bug 758605: Heap-based buffer overread in xmlDictAddString (Pranjal Jumde)

Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal (David Kilzer)

Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup (Pranjal Jumde)

Add missing increments of recursion depth counter to XML parser.
(Peter Simons)

Fix NULL pointer deref in XPointer range-to
Solution

Update the affected package.
See Also

https://mail.gnome.org/archives/xml/2016-May/msg00023.html
https://bugzilla.gnome.org/show_bug.cgi?id=759398
https://bugzilla.gnome.org/show_bug.cgi?id=758605
https://bugzilla.gnome.org/show_bug.cgi?id=758588
https://bugzilla.gnome.org/show_bug.cgi?id=757711
http://www.nessus.org/u?96b5bf04
http://www.nessus.org/u?6e0c0388
Output
- Package : libxml2
Installed version : 2.9.3
Affected version(s) : < 2.9.4

Thats ALL.

#2 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 3 years ago

  • Assignee set to Josh Paetzel
  • Priority changed from No priority to Important
  • Target version set to 9.10.2

Might be time to do a ports update for 9.10.2.

#3 Updated by Josh Paetzel almost 3 years ago

  • Status changed from Unscreened to Screened

#4 Updated by Josh Paetzel almost 3 years ago

#5 Updated by Josh Paetzel almost 3 years ago

  • Status changed from Screened to Closed: Duplicate

Also available in: Atom PDF