Describe how to read a FreeBSD Security Advisory.
Fix two near by doc bugs.
This commit is contained in:
Tom Rhodes
parent
506dc20f2f
commit
349b3a2c6b
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=18984
1 changed files with 202 additions and 2 deletions
|
|
@ -84,6 +84,11 @@
|
|||
<para>What file system <acronym>ACL</acronym>s are and how to use them.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>How to utililize the &os; security advisories
|
||||
publications.</para>
|
||||
</listitem>
|
||||
|
||||
</itemizedlist>
|
||||
|
||||
<para>Before reading this chapter, you should:</para>
|
||||
|
|
@ -5351,7 +5356,7 @@ drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
|
|||
<para>To change the <acronym>ACL</acronym> settings on this file,
|
||||
invoke the &man.setfacl.1; utility. Observe:</para>
|
||||
|
||||
<screen>%<userinput>setfacl -k <filename>test</filename></userinput></screen>
|
||||
<screen>&prompt.user;<userinput>setfacl -k <filename>test</filename></userinput></screen>
|
||||
|
||||
<para>The <literal>-k</literal> flag will remove all of the
|
||||
currently defined <acronym>ACL</acronym>s from a file or file
|
||||
|
|
@ -5359,7 +5364,7 @@ drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
|
|||
<literal>-b</literal> as it leaves the basic fields required for
|
||||
<acronym>ACL</acronym>s to work.</para>
|
||||
|
||||
<screen>%<userinput>-m u:trhodes:rwx,group:web:r--,o::--- <filename>test</filename></userinput></screen>
|
||||
<screen>&prompt.user;<userinput>-m u:trhodes:rwx,group:web:r--,o::--- <filename>test</filename></userinput></screen>
|
||||
|
||||
<para>In the aforementioned command, the <literal>-m</literal>
|
||||
option was used to modify the default <acronym>ACL</acronym>
|
||||
|
|
@ -5371,6 +5376,201 @@ drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
|
|||
to <devicename>stdout</devicename>.</para>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
<sect1 id="security-advisories">
|
||||
<sect1info>
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
<surname>Rhodes</surname>
|
||||
<contrib>Contributed by </contrib>
|
||||
</author>
|
||||
</authorgroup>
|
||||
</sect1info>
|
||||
<indexterm>
|
||||
<primary>FreeBSD Security Advisories</primary>
|
||||
</indexterm>
|
||||
<title>&os; Security Advisories</title>
|
||||
|
||||
<para>Like many production quality operating systems, &os; publishes
|
||||
<quote>Security Advisories</quote>. These advisories are usually
|
||||
mailed to the security lists and noted in the Errata only
|
||||
after the appropriate releases have been patched. This section
|
||||
will work to explain what an advisory is, how to understand them,
|
||||
and what measures to take in order to patch a system.</para>
|
||||
|
||||
<sect2>
|
||||
<title>What does an advisory look like?</title>
|
||||
|
||||
<para>The &os; security advisories look similar to the one below,
|
||||
taken from the security mailing list.</para>
|
||||
|
||||
<programlisting>=============================================================================
|
||||
&os;-SA-XX:XX.UTIL Security Advisory
|
||||
The &os; Project
|
||||
|
||||
Topic: denial of service due to some problem<co id="co-topic">
|
||||
|
||||
Category: core<co id="co-category">
|
||||
Module: sys<co id="co-module">
|
||||
Announced: 2003-09-23<co id="co-announce">
|
||||
Credits: Person@EMAIL-ADDRESS<co id="co-credit">
|
||||
Affects: All releases of &os;<co id="co-affects">
|
||||
&os; 4-STABLE prior to the correction date
|
||||
Corrected: 2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
|
||||
2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
|
||||
2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
|
||||
2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
|
||||
2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
|
||||
2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
|
||||
2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
|
||||
2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
|
||||
2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39)<co id="co-corrected">
|
||||
&os; only: NO<co id="co-only">
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit
|
||||
http://www.freebsd.org/security/.
|
||||
|
||||
I. Background<co id="co-backround">
|
||||
|
||||
|
||||
II. Problem Description<co id="co-descript">
|
||||
|
||||
|
||||
III. Impact<co id="co-impact">
|
||||
|
||||
|
||||
IV. Workaround<co id="co-workaround">
|
||||
|
||||
|
||||
V. Solution<co id="co-solution">
|
||||
|
||||
|
||||
VI. Correction details<co id="co-details">
|
||||
|
||||
|
||||
VII. References<co id="co-ref"></programlisting>
|
||||
|
||||
|
||||
<calloutlist>
|
||||
<callout arearefs="co-topic">
|
||||
<para>The topic field indicates exactly what the problem is.
|
||||
It is basically an introduction to the current security
|
||||
advisory and notes the utility with the
|
||||
vulnerability.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-category">
|
||||
<para>The Category refers to the affected part of the system
|
||||
which may be one of core, contrib, or ports. The core
|
||||
category means that the vulnerability affects a core
|
||||
component of the &os; operating system. The contrib
|
||||
category means that the vulnerability affects software
|
||||
contributed to the &os; Project, such as
|
||||
<application>Sendmail</application>. Finally the ports
|
||||
category indicates that the vulnerability affects add on
|
||||
software available as part of the ports collection.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-module">
|
||||
<para>The Module field refers to the component location, for
|
||||
instance sys. In this example, we see that the module,
|
||||
sys, is affected; therefor, this vulnerability
|
||||
affects a component used within the kernel.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-announce">
|
||||
<para>The Announced field reflects the date said security
|
||||
advisory was published, or announced to the world. This
|
||||
means that the security team has verified that the problem
|
||||
does exist and that a patch has been committed to the &os;
|
||||
source code repository.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-credit">
|
||||
<para>The Credits field gives credit to the individual or
|
||||
organization who noticed the vulnerability and reported
|
||||
it.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-affects">
|
||||
<para>The Affects field explains which releases of &os; are
|
||||
affected by this vulnerability. For the kernel, a quick
|
||||
look over the output from <command>ident</command> on the
|
||||
affected files will help in determining the revision.
|
||||
For ports, the version number is listed after the port name
|
||||
in <filename>/var/db/pkg</filename>. If the system does not
|
||||
sync with the &os; <acronym>CVS</acronym> repository and rebuild
|
||||
daily, chances are that it is affected.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-corrected">
|
||||
<para>The Corrected field indicates the date, time, time
|
||||
offset, and release that was corrected.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-only">
|
||||
<para>The &os; only field indicates whether this vulnerability
|
||||
affects just &os;, or if it affects other operating systems
|
||||
as well.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-backround">
|
||||
<para>The background field gives information on exactly what
|
||||
the affected utility is. Most of the time this is why
|
||||
the utility exists in &os;, what it is used for, and a bit
|
||||
of information on how the utility came to be.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-descript">
|
||||
<para>The Problem Description field explains the security hole
|
||||
in depth. This can include information on flawed code, or
|
||||
even how the utility could be maliciously used to open
|
||||
a security hole.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-impact">
|
||||
<para>The Impact field describes what type of impact the
|
||||
problem could have on a system. For example, this could
|
||||
be anything from a denial of service attack, to extra
|
||||
privileges available to users, or even giving the attacker
|
||||
superuser access.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-workaround">
|
||||
<para>The Workaround field offers a feasible workaround to
|
||||
system administrators who may be incapable of upgrading
|
||||
the system. This may be due to time constraints, network
|
||||
availability, or a slew of other reasons. Regardless,
|
||||
security should not be taken lightly, and an affected system
|
||||
should either be patched or the security hole workaround
|
||||
should be implemented.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-solution">
|
||||
<para>The Solution field offers instructions on patching the
|
||||
affected system. This is a step by step tested and verified
|
||||
method for getting a system patched and working
|
||||
securely.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="co-details">
|
||||
<para>The Correction Details field displays the
|
||||
<acronym>CVS</acronym> branch or release name with the
|
||||
periods changed to underscore characters. It also shows
|
||||
the revision number of the affected files within each
|
||||
branch.</para>
|
||||
|
||||
<callout arearefs="co-ref">
|
||||
<para>The References field usually offers sources of other
|
||||
information. This can included web <acronym>URL</acronym>s,
|
||||
books, mailing lists, and newsgroups.</para>
|
||||
</callout>
|
||||
</calloutlist>
|
||||
</sect2>
|
||||
</sect1>
|
||||
</chapter>
|
||||
|
||||
<!--
|
||||
|
|
|
|||
Loading…
Reference in a new issue