14.11.FreeBSD 安全公告

像许多高质量操作系统的生产者一样。FreeBSD 项目有一个安全团队。负责确定每个 FreeBSD 发行版的生命周期结束 (EoL) 日期。并为尚未达到其 EoL 的受支持发行版提供安全更新。有关 FreeBSD 安全团队和支持的版本的更多信息,请访问 FreeBSD 安全页面

安全团队的一项任务是响应 FreeBSD 操作系统中报告的安全漏洞。确认漏洞后,安全团队将验证修复漏洞所需的步骤,并使用修复程序更新源代码。然后,它将详细信息发布为”安全公告”。安全公告发布在 FreeBSD 网站上。并邮寄到 FreeBSD 安全通知邮件列表FreeBSD 安全邮件列表FreeBSD 公告邮件列表 邮件列表。

本节讨论了 FreeBSD 安全公告的格式。

14.11.1. 安全公告的格式

下面是一个 FreeBSD 安全公告的例子:

  1. =============================================================================
  2. -----BEGIN PGP SIGNED MESSAGE-----
  3. Hash: SHA512
  5. =============================================================================
  6. FreeBSD-SA-14:04.bind                                       Security Advisory
  7.                                                           The FreeBSD Project
  9. Topic:          BIND remote denial of service vulnerability
  11. Category:       contrib
  12. Module:         bind
  13. Announced:      2014-01-14
  14. Credits:        ISC
  15. Affects:        FreeBSD 8.x and FreeBSD 9.x
  16. Corrected:      2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE)
  17.                 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
  18.                 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
  19.                 2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE)
  20.                 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
  21.                 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
  22. CVE Name:       CVE-2014-0591
  24. For general information regarding FreeBSD Security Advisories,
  25. including descriptions of the fields above, security branches, and the
  26. following sections, please visit <URL:http://security.FreeBSD.org/>.
  28. I.   Background
  30. BIND 9 is an implementation of the Domain Name System (DNS) protocols.
  31. The named(8) daemon is an Internet Domain Name Server.
  33. II.  Problem Description
  35. Because of a defect in handling queries for NSEC3-signed zones, BIND can
  36. crash with an "INSIST" failure in name.c when processing queries possessing
  37. certain properties.  This issue only affects authoritative nameservers with
  38. at least one NSEC3-signed zone.  Recursive-only servers are not at risk.
  40. III. Impact
  42. An attacker who can send a specially crafted query could cause named(8)
  43. to crash, resulting in a denial of service.
  45. IV.  Workaround
  47. No workaround is available, but systems not running authoritative DNS service
  48. with at least one NSEC3-signed zone using named(8) are not vulnerable.
  50. V.   Solution
  52. Perform one of the following:
  54. 1) Upgrade your vulnerable system to a supported FreeBSD stable or
  55. release / security branch (releng) dated after the correction date.
  57. 2) To update your vulnerable system via a source code patch:
  59. The following patches have been verified to apply to the applicable
  60. FreeBSD release branches.
  62. a) Download the relevant patch from the location below, and verify the
  63. detached PGP signature using your PGP utility.
  65. [FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE]
  66. # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch
  67. # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc
  68. # gpg --verify bind-release.patch.asc
  70. [FreeBSD 9.2-STABLE]
  71. # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch
  72. # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc
  73. # gpg --verify bind-stable-9.patch.asc
  75. b) Execute the following commands as root:
  77. # cd /usr/src
  78. # patch < /path/to/patch
  80. Recompile the operating system using buildworld and installworld as
  81. described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
  83. Restart the applicable daemons, or reboot the system.
  85. 3) To update your vulnerable system via a binary patch:
  87. Systems running a RELEASE version of FreeBSD on the i386 or amd64
  88. platforms can be updated via the man:freebsd-update[8] utility:
  90. # freebsd-update fetch
  91. # freebsd-update install
  93. VI.  Correction details
  95. The following list contains the correction revision numbers for each
  96. affected branch.
  98. Branch/path                                                      Revision
  99. - -------------------------------------------------------------------------
  100. stable/8/                                                         r260646
  101. releng/8.3/                                                       r260647
  102. releng/8.4/                                                       r260647
  103. stable/9/                                                         r260646
  104. releng/9.1/                                                       r260647
  105. releng/9.2/                                                       r260647
  106. - -------------------------------------------------------------------------
  108. To see which files were modified by a particular revision, run the
  109. following command, replacing NNNNNN with the revision number, on a
  110. machine with Subversion installed:
  112. # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
  114. Or visit the following URL, replacing NNNNNN with the revision number:
  116. <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
  118. VII. References
  120. <URL:https://kb.isc.org/article/AA-01078>
  122. <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591>
  124. The latest revision of this advisory is available at
  125. <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc>
  126. -----BEGIN PGP SIGNATURE-----
  128. iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG
  129. ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO
  130. XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg
  131. ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG
  132. 9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5
  133. fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua
  134. OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb
  135. zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag
  136. Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm
  137. 067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq
  138. 7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO
  139. UWWemqWuz3lAZuORQ9KX
  140. =OQzQ
  141. -----END PGP SIGNATURE-----

每个安全公告都使用以下格式:

  • 每个安全公告都由安全官员的 PGP 密钥签名。安全官的公钥可以在 OpenPGP密钥 中验证。
  • 安全公告的名字总是以 FreeBSD-SA- 开头 (代表 FreeBSD 安全公告),后面是两位数格式的年份 (14:),然后是该年的公告编号 (04.),再后面是受影响的应用程序或子系统的名称 (bind)。这里显示的咨询是2014年的第四个咨询,它影响到 BIND。
  • Topic 字段总结了该漏洞。
  • Category 指系统中受影响的部分,可以是 corecontribports 之一。core 类别意味着该漏洞影响了 FreeBSD 操作系统的核心组件。contrib 类别意味着该漏洞会影响 FreeBSD 附带的软件,例如 BIND。ports 类别表示该漏洞影响通过端口集合提供的软件。
  • module 字段指的是组件的位置。在这个例子中,bind 模块受到了影响;因此,这个漏洞影响了随操作系统安装的应用程序。
  • Announced 字段反映安全通报的发布日期。这意味着安全团队已经验证了问题的存在,并且已经将补丁提交到 FreeBSD 源代码存储库。
  • Credits 字段表示注意到漏洞并报告它的个人或组织。
  • Affects 字段解释了哪些 FreeBSD 版本受此漏洞影响。
  • Corrected 指出了被纠正的日期、时间、时间偏移和版本。括号中的部分显示了已经合并了修正的每个分支。以及该分支对应的版本号。版本标识符本身包括版本号,如果合适,还包括补丁级别。补丁级别是字母 p 后面的数字,表示补丁的序列号,允许用户跟踪哪些补丁已经应用到系统中。
  • CVE Name 字段列出了公共 cve.mitre.org 安全漏洞数据库中的咨询编号(如果存在)。
  • Background 字段提供受影响模块的说明。
  • Problem Description 字段说明了此漏洞。这可能包括有关有缺陷的代码以及如何恶意使用实用程序的信息。
  • Impact 字段描述问题可能对系统产生的影响类型。
  • Workaround 字段指示无法立即修补系统的系统管理员是否可以使用变通办法。
  • Solution 字段提供了有关修补受影响系统的说明。这是一种经过逐步测试和验证的方法,用于修补系统并安全运行。
  • Correction Details 字段显示每个受影响的 Subversion 分支,其中包含包含更正代码的修订版号。
  • References 字段提供了有关此漏洞的其他信息来源。