os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Update example Security Advisory and its descriptions.

Browse source 
Next commit will add to the introduction of this section.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-03-21 17:25:31 +00:00
parent dc0d4a6810
commit 9ac17eedd1
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44311
1 changed files with 205 additions and 111 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

316
en_US.ISO8859-1/books/handbook/security/chapter.xml
View file

@ -3183,66 +3183,178 @@ You are advised to update or deinstall the affected package(s) immediately.</pro
<sect2>
<title>What Does an Advisory Look Like?</title>
<para>&os; security advisories use the format seen in this
example:</para>
<para>Here is an example of a &os; security advisory:</para>
<programlisting>=============================================================================
FreeBSD-SA-XX:XX.UTIL Security Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:04.bind Security Advisory
The FreeBSD Project
Topic: denial of service due to some problem <co xml:id="co-topic"/>
Topic: BIND remote denial of service vulnerability
Category: core <co xml:id="co-category"/>
Module: sys <co xml:id="co-module"/>
Announced: 2003-09-23 <co xml:id="co-announce"/>
Credits: Person <co xml:id="co-credit"/>
Affects: All releases of &os; <co xml:id="co-affects"/>
&os; 4-STABLE prior to the correction date
Corrected: 2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39) <co xml:id="co-corrected"/>
<acronym>CVE</acronym> Name: CVE-XXXX-XXXX <co xml:id="co-cve"/>
Category: contrib
Module: bind
Announced: 2014-01-14
Credits: ISC
Affects: FreeBSD 8.x and FreeBSD 9.x
Corrected: 2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE)
2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE)
2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
CVE Name: CVE-2014-0591
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
http://www.FreeBSD.org/security/.
following sections, please visit &lt;URL:http://security.FreeBSD.org/&gt;.
I. Background <co xml:id="co-backround"/>
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description <co xml:id="co-descript"/>
II. Problem Description
Because of a defect in handling queries for NSEC3-signed zones, BIND can
crash with an "INSIST" failure in name.c when processing queries possessing
certain properties. This issue only affects authoritative nameservers with
at least one NSEC3-signed zone. Recursive-only servers are not at risk.
III. Impact <co xml:id="co-impact"/>
III. Impact
An attacker who can send a specially crafted query could cause named(8)
to crash, resulting in a denial of service.
IV. Workaround <co xml:id="co-workaround"/>
IV. Workaround
No workaround is available, but systems not running authoritative DNS service
with at least one NSEC3-signed zone using named(8) are not vulnerable.
V. Solution <co xml:id="co-solution"/>
V. Solution
Perform one of the following:
VI. Correction details <co xml:id="co-details"/>
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
VII. References <co xml:id="co-ref"/></programlisting>
The following patches have been verified to apply to the applicable
FreeBSD release branches.
<calloutlist>
<callout arearefs="co-topic">
<para>The <literal>Topic</literal> field specifies the
problem. It provides an introduction to the security
advisory and notes the utility affected by the
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE]
# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch
# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc
# gpg --verify bind-release.patch.asc
[FreeBSD 9.2-STABLE]
# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch
# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc
# gpg --verify bind-stable-9.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch &lt; /path/to/patch
Recompile the operating system using buildworld and installworld as
described in &lt;URL:http://www.FreeBSD.org/handbook/makeworld.html&gt;.
Restart the applicable daemons, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r260646
releng/8.3/ r260647
releng/8.4/ r260647
stable/9/ r260646
releng/9.1/ r260647
releng/9.2/ r260647
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
&lt;URL:http://svnweb.freebsd.org/base?view=revision&amp;revision=NNNNNN&gt;
VII. References
&lt;URL:https://kb.isc.org/article/AA-01078&gt;
&lt;URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591&gt;
The latest revision of this advisory is available at
&lt;URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc&gt;
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG
ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO
XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg
ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG
9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5
fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua
OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb
zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag
Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm
067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq
7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO
UWWemqWuz3lAZuORQ9KX
=OQzQ
-----END PGP SIGNATURE-----</programlisting>
<para>Every security advisory uses the following format:</para>
<itemizedlist>
<listitem>
<para>Each security advisory is signed by the
<acronym>PGP</acronym> key of the Security Officer. The
public key for the Security Officer can be verified at
<xref linkend="pgpkeys"/>.</para>
</listitem>
<listitem>
<para>The name of the security advisory always begins with
<literal>FreeBSD-SA-</literal> (for FreeBSD Security
Advisory), followed by the year in two digit format
(<literal>14:</literal>), followed by the advisory number
for that year (<literal>04.</literal>), followed by the
name of the affected application or subsystem
(<literal>bind</literal>). The advisory shown here is the
fourth advisory for 2014 and it affects
<application>BIND</application>.</para>
</listitem>
<listitem>
<para>The <literal>Topic</literal> field summarizes the
vulnerability.</para>
</callout>
</listitem>
<callout arearefs="co-category">
<listitem>
<para>The <literal>Category</literal> refers to the
affected part of the system which may be one of
<literal>core</literal>, <literal>contrib</literal>, or
@ -3250,113 +3362,95 @@ VII. References <co xml:id="co-ref"/></programlisting>
category means that the vulnerability affects a core
component of the &os; operating system. The
<literal>contrib</literal> category means that the
vulnerability affects software contributed to the &os;
Project, such as <application>Sendmail</application>.
vulnerability affects software included with &os;,
such as <application>BIND</application>.
The <literal>ports</literal> category indicates that the
vulnerability affects add on software available through
vulnerability affects software available through
the Ports Collection.</para>
</callout>
</listitem>
<callout arearefs="co-module">
<listitem>
<para>The <literal>Module</literal> field refers to the
component location. In this example, the
<literal>sys</literal> module is affected; therefore, this
vulnerability affects a component used within the
kernel.</para>
</callout>
<literal>bind</literal> module is affected; therefore, this
vulnerability affects an application installed with the
operating system.</para>
</listitem>
<callout arearefs="co-announce">
<listitem>
<para>The <literal>Announced</literal> field reflects the
date the security advisory was published, or announced
to the world. This means that the security team has
date the security advisory was published. This means
that the security team has
verified that the problem exists and that a patch has
been committed to the &os; source code repository.</para>
</callout>
</listitem>
<callout arearefs="co-credit">
<listitem>
<para>The <literal>Credits</literal> field gives credit to
the individual or organization who noticed the
vulnerability and reported it.</para>
</callout>
</listitem>
<callout arearefs="co-affects">
<listitem>
<para>The <literal>Affects</literal> field explains which
releases of &os; are affected by this vulnerability.
For the kernel, a quick look over the output from
&man.ident.1; on the affected files will help in
determining the revision. For ports, the version number
is listed after the port name in <filename>/var/db/pkg</filename>. If the
system does not sync with the &os; Subversion repository
and is not rebuilt daily, chances are that it is
affected.</para>
</callout>
releases of &os; are affected by this vulnerability.</para>
</listitem>
<callout arearefs="co-corrected">
<listitem>
<para>The <literal>Corrected</literal> field indicates the
date, time, time offset, and release that was
date, time, time offset, and releases that were
corrected.</para>
</callout>
</listitem>
<callout arearefs="co-cve">
<para>Reserved for the identification information used to
look up vulnerabilities in the <link xlink:href="http://cve.mitre.org">Common Vulnerabilities
and Exposures</link> database.</para>
</callout>
<listitem>
<para>The <literal>CVE Name</literal> field lists the
advisory number, if one exists, in the public <link
xlink:href="http://cve.mitre.org">cve.mitre.org</link>
security vulnerabilities database.</para>
</listitem>
<callout arearefs="co-backround">
<para>The <literal>Background</literal> field gives
information about the affected utility. Most of the time
this is why the utility exists in &os;, what it is used
for, and a bit of information on how the utility came to
be.</para>
</callout>
<listitem>
<para>The <literal>Background</literal> field provides a
description of the affected module.</para>
</listitem>
<callout arearefs="co-descript">
<listitem>
<para>The <literal>Problem Description</literal> field
explains the security hole in depth. This can include
information on flawed code, or even how the utility
could be maliciously used to open a security hole.</para>
</callout>
explains the vulnerability. This can include
information about the flawed code and how the utility
could be maliciously used.</para>
</listitem>
<callout arearefs="co-impact">
<listitem>
<para>The <literal>Impact</literal> field describes what
type of impact the problem could have on a system. For
example, this could be anything from a denial of service
attack, to extra privileges available to users, or even
giving the attacker superuser access.</para>
</callout>
type of impact the problem could have on a system.</para>
</listitem>
<callout arearefs="co-workaround">
<para>The <literal>Workaround</literal> field offers a
workaround to system administrators who cannot
upgrade the system due to time constraints, network
availability, or other reasons. Security should not be
taken lightly, and an affected system should either be
patched or the workaround implemented.</para>
</callout>
<listitem>
<para>The <literal>Workaround</literal> field indicates if
a workaround is available to system administrators who cannot
immediately patch the system .</para>
</listitem>
<callout arearefs="co-solution">
<para>The <literal>Solution</literal> field offers
<listitem>
<para>The <literal>Solution</literal> field provides the
instructions for patching the affected system. This is a
step by step tested and verified method for getting a
system patched and working securely.</para>
</callout>
</listitem>
<callout arearefs="co-details">
<listitem>
<para>The <literal>Correction Details</literal> field
displays the Subversion branch or release name with the
periods changed to underscore characters. It also shows
the revision number of the affected files within each
branch.</para>
</callout>
displays each affected Subversion branch with
the revision number that contains the corrected code.</para>
</listitem>
<callout arearefs="co-ref">
<para>The <literal>References</literal> field usually
offers sources of other information. This can include
web <acronym>URL</acronym>s, books, mailing lists, and
newsgroups.</para>
</callout>
</calloutlist>
<listitem>
<para>The <literal>References</literal> field
offers sources of additional information regarding the
vulnerability.</para>
</listitem>
</itemizedlist>
</sect2>
</sect1>