os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

- Consistently use lower case HTML tags.

Browse source 
- Fix indention so it's (more or less) standard FDP style.

No content change, translators can ignore.
This commit is contained in:
Simon L. B. Nielsen 2005-10-17 21:26:56 +00:00
parent 6ecbf0d8e8
commit b0357f0c47
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/www/; revision=26055
1 changed files with 276 additions and 268 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

544
en/security/security.sgml
View file

@ -1,318 +1,326 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" [
<!ENTITY base CDATA "..">
<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.178 2005/10/04 16:14:41 simon Exp $">
<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.179 2005/10/17 20:27:14 simon Exp $">
<!ENTITY title "FreeBSD Security Information">
<!ENTITY % navincludes SYSTEM "../includes.navsupport.sgml"> %navincludes;
<!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
<!ENTITY % developers SYSTEM "../developers.sgml"> %developers;
<!ENTITY advisories.html.inc SYSTEM "advisories.html.inc">
]>
<!-- $FreeBSD: www/en/security/security.sgml,v 1.178 2005/10/04 16:14:41 simon Exp $ -->
<!-- $FreeBSD: www/en/security/security.sgml,v 1.179 2005/10/17 20:27:14 simon Exp $ -->
<html>
&header;
&header;
<H2>Introduction</H2>
<h2>Introduction</h2>
<P>This web page is designed to assist both new and experienced users
in the area of FreeBSD security. FreeBSD
takes security very seriously and is constantly working
on making the OS as secure as possible.</P>
<p>This web page is designed to assist both new and experienced
users in the area of FreeBSD security. FreeBSD takes security
very seriously and is constantly working on making the OS as
secure as possible.</p>
<P>Here you will find additional information, or links to information,
on how to protect your system against various types of attack,
on whom to contact if you find a security-related bug, and so on. There is
also a section on the various ways that the systems programmer can
become more security conscious so that he is less likely to
introduce vulnerabilities.</P>
<p>Here you will find additional information, or links to
information, on how to protect your system against various types
of attack, on whom to contact if you find a security-related bug,
and so on. There is also a section on the various ways that the
systems programmer can become more security conscious so that he
is less likely to introduce vulnerabilities.</p>
<H2>Table of Contents</H2>
<UL>
<li><a href="#how">How and Where to report a FreeBSD security issue</a></li>
<LI><A HREF="#sec">Information about the FreeBSD Security Officer</A></LI>
<li><a href="charter.html">Charter for the Security Officer and Team</a></li>
<LI><A HREF="#pol">Information handling policies</A></LI>
<LI><A HREF="#adv">FreeBSD Security Advisories</A></LI>
<li><a href="http://www.freebsd.org/handbook/security-advisories.html">
Reading FreeBSD Security Advisories</a></li>
</UL>
<h2>Table of Contents</h2>
<a name="how"></a>
<p>All FreeBSD Security issues should be reported directly to the
<a href="mailto:security@FreeBSD.org">Security Officer Team</a>
personally or otherwise to the <a href="mailto:security-officer@FreeBSD.org">
Security Officer</a>. All reports should at least contain:<br><br>
A description of the vulnerability;<br>
What versions of FreeBSD seem to be affected if possible;<br>
Any plausible workaround;<br>
And example code if possible.<br></p>
<ul>
<li><a href="#how">How and Where to report a FreeBSD security issue</a></li>
<li><a href="#sec">Information about the FreeBSD Security Officer</a></li>
<li><a href="charter.html">Charter for the Security Officer and Team</a></li>
<li><a href="#pol">Information handling policies</a></li>
<li><a href="#adv">FreeBSD Security Advisories</a></li>
<li><a href="http://www.freebsd.org/handbook/security-advisories.html">
Reading FreeBSD Security Advisories</a></li>
</ul>
<p>After this information has been reported the Security Officer
or a Security Team delegate will get back with you.</p>
<a name="how"></a>
<p>All FreeBSD Security issues should be reported directly to the <a
href="mailto:security@FreeBSD.org">Security Officer Team</a>
personally or otherwise to the <a
href="mailto:security-officer@FreeBSD.org"> Security Officer</a>.
All reports should at least contain:<br><br> A description of the
vulnerability;<br> What versions of FreeBSD seem to be affected if
possible;<br> Any plausible workaround;<br> And example code if
possible.<br></p>
<A NAME=sec></A>
<H2>The FreeBSD Security Officer and the Security Officer Team</H2>
<p>After this information has been reported the Security Officer or
a Security Team delegate will get back with you.</p>
<P>To better coordinate information exchange with others in the security
community, FreeBSD has a focal point for security-related communications:
the FreeBSD Security Officer.</P>
<a name=sec></a>
<h2>The FreeBSD Security Officer and the Security Officer Team</h2>
<P>If you need to contact the FreeBSD Project about
a possible security issue, you should therefore <A
HREF="mailto:security-officer@FreeBSD.org">send mail to the Security
Officer</A> with a description of what you have found and the type of
vulnerability it represents.</P>
<p>To better coordinate information exchange with others in the
security community, FreeBSD has a focal point for security-related
communications: the FreeBSD Security Officer.</p>
<p>In order that the FreeBSD Project may respond to vulnerability
reports in a timely manner, there are four members of the Security
Officer mail alias: the Security Officer, Security Officer Emeritus,
Deputy Security Officer,
and one Core Team member. Therefore, messages sent to the
<a
href="mailto:security-officer@FreeBSD.org">&lt;security-officer@FreeBSD.org&gt;</a>
mail alias are currently delivered to:</p>
<p>If you need to contact the FreeBSD Project about a possible
security issue, you should therefore <a
href="mailto:security-officer@FreeBSD.org">send mail to the
Security Officer</a> with a description of what you have found and
the type of vulnerability it represents.</p>
<table>
<tr valign="top">
<td>&a.cperciva; <a
href="mailto:cperciva@FreeBSD.org">&lt;cperciva@FreeBSD.org&gt;</a></td>
<td>Security Officer</td>
</tr>
<tr valign="top">
<td>&a.nectar; <a
href="mailto:nectar@FreeBSD.org">&lt;nectar@FreeBSD.org&gt;</a></td>
<td>Security Officer Emeritus</td>
</tr>
<tr valign="top">
<td>&a.simon; <a
href="mailto:simon@FreeBSD.org">&lt;simon@FreeBSD.org&gt;</a></td>
<td>Deputy Security Officer</td>
</tr>
<tr valign="top">
<td>&a.rwatson; <a
href="mailto:rwatson@FreeBSD.org">&lt;rwatson@FreeBSD.org&gt;</a></td>
<td>FreeBSD Core Team liaison, Release Engineering liaison,<br>
TrustedBSD Project liaison, system security architecture expert</td>
</tr>
</table>
<p>In order that the FreeBSD Project may respond to vulnerability
reports in a timely manner, there are four members of the Security
Officer mail alias: the Security Officer, Security Officer
Emeritus, Deputy Security Officer, and one Core Team member.
Therefore, messages sent to the <a
href="mailto:security-officer@FreeBSD.org">&lt;security-officer@FreeBSD.org&gt;</a>
mail alias are currently delivered to:</p>
<p>The Security Officer is supported by the <a
href="mailto:security@FreeBSD.org">FreeBSD Security Team
&lt;security@FreeBSD.org&gt;</a>, a small group of committers
vetted by the Security Officer.</p>
<table>
<tr valign="top">
<td>&a.cperciva; <a
href="mailto:cperciva@FreeBSD.org">&lt;cperciva@FreeBSD.org&gt;</a></td>
<td>Security Officer</td>
</tr>
<tr valign="top">
<td>&a.nectar; <a
href="mailto:nectar@FreeBSD.org">&lt;nectar@FreeBSD.org&gt;</a></td>
<td>Security Officer Emeritus</td>
</tr>
<tr valign="top">
<td>&a.simon; <a
href="mailto:simon@FreeBSD.org">&lt;simon@FreeBSD.org&gt;</a></td>
<td>Deputy Security Officer</td>
</tr>
<tr valign="top">
<td>&a.rwatson; <a
href="mailto:rwatson@FreeBSD.org">&lt;rwatson@FreeBSD.org&gt;</a></td>
<td>FreeBSD Core Team liaison, Release Engineering liaison,<br>
TrustedBSD Project liaison, system security architecture expert</td>
</tr>
</table>
<p>Please use the <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">Security
Officer PGP key</a> to encrypt your messages to the Security Officer
when appropriate.</p>
<p>The Security Officer is supported by the <a
href="mailto:security@FreeBSD.org">FreeBSD Security Team
&lt;security@FreeBSD.org&gt;</a>, a small group of committers
vetted by the Security Officer.</p>
<a NAME="pol"></a>
<h2>Information handling policies</h2>
<p>Please use the <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">Security
Officer PGP key</a> to encrypt your messages to the Security
Officer when appropriate.</p>
<p>As a general policy, the FreeBSD Security Officer favors full
disclosure of vulnerability information after a reasonable delay to
permit safe analysis and correction of a vulnerability, as well as
appropriate testing of the correction, and appropriate coordination
with other affected parties.</p>
<a name="pol"></a>
<h2>Information handling policies</h2>
<p>The Security Officer <em>will</em> notify one or more of the
<a href="mailto:admins@FreeBSD.org">FreeBSD Cluster Admins</a> of
vulnerabilities that put the FreeBSD Project's resources under
immediate danger.</p>
<p>As a general policy, the FreeBSD Security Officer favors full
disclosure of vulnerability information after a reasonable delay
to permit safe analysis and correction of a vulnerability, as well
as appropriate testing of the correction, and appropriate
coordination with other affected parties.</p>
<p>The Security Officer may bring additional FreeBSD developers
or outside developers into discussion of a submitted security
vulnerability if their expertise is required to fully understand or
correct the problem. Appropriate discretion will be exercised to
minimize unnecessary distribution of information about the submitted
vulnerability, and any experts brought in will act in accordance of
Security Officer policies. In the past, experts have been brought
in based on extensive experience with highly complex components of
the operating system, including FFS, the VM system, and the network
stack.</p>
<p>The Security Officer <em>will</em> notify one or more of the <a
href="mailto:admins@FreeBSD.org">FreeBSD Cluster Admins</a> of
vulnerabilities that put the FreeBSD Project's resources under
immediate danger.</p>
<p>If a FreeBSD release process is underway, the FreeBSD Release
Engineer may also be notified that a vulnerability exists, and its
severity, so that informed decisions may be made regarding the release
cycle and any serious security bugs present in software associated
with an up-coming release. If requested, the Security Officer will
not share information regarding the nature of the vulnerability with
the Release Engineer, limiting information flow to existence and
severity.</p>
<p>The Security Officer may bring additional FreeBSD developers or
outside developers into discussion of a submitted security
vulnerability if their expertise is required to fully understand
or correct the problem. Appropriate discretion will be exercised
to minimize unnecessary distribution of information about the
submitted vulnerability, and any experts brought in will act in
accordance of Security Officer policies. In the past, experts
have been brought in based on extensive experience with highly
complex components of the operating system, including FFS, the VM
system, and the network stack.</p>
<p>The FreeBSD Security Officer has close working relationships
with a number of other organizations, including third-party vendors
that share code with FreeBSD (the OpenBSD, NetBSD and
DragonFlyBSD projects,
Apple, and other vendors deriving software from FreeBSD, as well
as the Linux vendor security list), as well as organizations
that track vulnerabilities and security incidents, such as CERT.
Frequently vulnerabilities may extend beyond the scope of the
FreeBSD implementation, and (perhaps less frequently) may have
broad implications for the global networking community. Under such
circumstances, the Security Officer may wish to disclose vulnerability
information to these other organizations: if you do not wish the
Security Officer to do this, please indicate so explicitly in any
submissions.</p>
<p>If a FreeBSD release process is underway, the FreeBSD Release
Engineer may also be notified that a vulnerability exists, and its
severity, so that informed decisions may be made regarding the
release cycle and any serious security bugs present in software
associated with an up-coming release. If requested, the Security
Officer will not share information regarding the nature of the
vulnerability with the Release Engineer, limiting information flow
to existence and severity.</p>
<p>Submitters should be careful to explicitly document any special
information handling requirements.</p>
<p>The FreeBSD Security Officer has close working relationships with
a number of other organizations, including third-party vendors
that share code with FreeBSD (the OpenBSD, NetBSD and DragonFlyBSD
projects, Apple, and other vendors deriving software from FreeBSD,
as well as the Linux vendor security list), as well as
organizations that track vulnerabilities and security incidents,
such as CERT. Frequently vulnerabilities may extend beyond the
scope of the FreeBSD implementation, and (perhaps less frequently)
may have broad implications for the global networking community.
Under such circumstances, the Security Officer may wish to
disclose vulnerability information to these other organizations:
if you do not wish the Security Officer to do this, please
indicate so explicitly in any submissions.</p>
<p>If the submitter of a vulnerability is interested in a coordinated
disclosure process with the submitter and/or other vendors, this
should be indicated explicitly in any submissions. In the absence
of explicit requests, the FreeBSD Security Officer will select a
disclosure schedule that reflects both a desire for timely disclosure
and appropriate testing of any solutions. Submitters should be aware
that if the vulnerability is being actively discussed in public forums
(such as bugtraq), and actively exploited, the Security Officer may
choose not to follow a proposed disclosure timeline in order to
provide maximum protection for the user community.</p>
<p>Submitters should be careful to explicitly document any special
information handling requirements.</p>
<p>Submissions may be protected using PGP. If desired, responses will
also be protected using PGP.</p>
<p>If the submitter of a vulnerability is interested in a
coordinated disclosure process with the submitter and/or other
vendors, this should be indicated explicitly in any submissions.
In the absence of explicit requests, the FreeBSD Security Officer
will select a disclosure schedule that reflects both a desire for
timely disclosure and appropriate testing of any solutions.
Submitters should be aware that if the vulnerability is being
actively discussed in public forums (such as bugtraq), and
actively exploited, the Security Officer may choose not to follow
a proposed disclosure timeline in order to provide maximum
protection for the user community.</p>
<A NAME=adv></A>
<H2>FreeBSD Security Advisories</H2>
<p>Submissions may be protected using PGP. If desired, responses
will also be protected using PGP.</p>
<P>The FreeBSD Security Officer provides security advisories for
several branches of FreeBSD development. These are the <EM>-STABLE
Branches</EM> and the <EM>Security Branches</EM>. (Advisories are not
issued for the <EM>-CURRENT Branch</EM>.)</P>
<a name=adv></a>
<h2>FreeBSD Security Advisories</h2>
<UL>
<p>The FreeBSD Security Officer provides security advisories for
several branches of FreeBSD development. These are the
<em>-STABLE Branches</em> and the <em>Security Branches</em>.
(Advisories are not issued for the <em>-CURRENT Branch</em>.)</p>
<LI><P>There is usually only a single -STABLE branch, although
during the transition from one major development line to another
(such as from FreeBSD 4.x to 5.x), there is a time span in which
there are two -STABLE branches. The -STABLE branch tags have names
like <TT>RELENG_4</TT>. The corresponding builds have names like
<TT>FreeBSD 4.10-STABLE</TT>.</P></LI>
<ul>
<LI><P>Each FreeBSD Release has an associated Security Branch.
The Security Branch tags have names like <TT>RELENG_4_10</TT>.
The corresponding builds have names like <TT>FreeBSD
4.10-RELEASE-p5</TT>.</P></LI>
<li><p>There is usually only a single -STABLE branch, although
during the transition from one major development line to another
(such as from FreeBSD 4.x to 5.x), there is a time span in which
there are two -STABLE branches. The -STABLE branch tags have
names like <tt>RELENG_4</tt>. The corresponding builds have
names like <tt>FreeBSD 4.10-STABLE</tt>.</p></li>
</UL>
<li><p>Each FreeBSD Release has an associated Security Branch.
The Security Branch tags have names like <tt>RELENG_4_10</tt>.
The corresponding builds have names like <tt>FreeBSD
4.10-RELEASE-p5</tt>.</p></li>
</ul>
<P>Issues affecting the FreeBSD Ports Collection are covered
in <A HREF="http://vuxml.FreeBSD.org/">the FreeBSD VuXML
document</A>.</P>
<p>Issues affecting the FreeBSD Ports Collection are covered in <a
href="http://vuxml.FreeBSD.org/">the FreeBSD VuXML
document</a>.</p>
<P>Each branch is supported by the Security Officer for a limited time
only, and is designated as one of `<EM>Early adopter</EM>',
`<EM>Normal</EM>', or `<EM>Extended</EM>'. The designation is used as a
guideline for determining the lifetime of the branch as follows.</P>
<p>Each branch is supported by the Security Officer for a limited
time only, and is designated as one of `<em>Early adopter</em>',
`<em>Normal</em>', or `<em>Extended</em>'. The designation is
used as a guideline for determining the lifetime of the branch as
follows.</p>
<DL>
<DT>Early adopter</DT>
<DD>Releases which are published from the -CURRENT branch will be
supported by the Security Officer for a minimum of 6 months after
the release.</DD>
<DT>Normal</DT>
<DD>Releases which are published from the -STABLE branch will be
supported by the Security Officer for a minimum of 12 months after the
release.</DD>
<DT>Extended</DT>
<DD>Selected releases will be supported by the Security Officer for a
minimum of 24 months after the release.</DD>
</DL>
<dl>
<dt>Early adopter</dt>
<dd>Releases which are published from the -CURRENT branch will be
supported by the Security Officer for a minimum of 6 months after
the release.</dd>
<dt>Normal</dt>
<dd>Releases which are published from the -STABLE branch will be
supported by the Security Officer for a minimum of 12 months after the
release.</dd>
<dt>Extended</dt>
<dd>Selected releases will be supported by the Security Officer for a
minimum of 24 months after the release.</dd>
</dl>
<P>The current designation and estimated lifetimes of the currently
supported branches are given below. The <EM>Estimated EoL
(end-of-life)</EM> column gives the earliest date on which that branch
is likely to be dropped. Please note that these dates may be extended
into the future, but only extenuating circumstances would lead to a
branch's support being dropped earlier than the date listed.</P>
<p>The current designation and estimated lifetimes of the currently
supported branches are given below. The <em>Estimated EoL
(end-of-life)</em> column gives the earliest date on which that
branch is likely to be dropped. Please note that these dates may
be extended into the future, but only extenuating circumstances
would lead to a branch's support being dropped earlier than the
date listed.</p>
<!--
Please also update www/en/releng/index.sgml when updating this
list of supported branches.
-->
<TABLE class="tblbasic">
<TR>
<TH>Branch</TH>
<TH>Release</TH>
<TH>Type</TH>
<TH>Release Date</TH>
<TH>Estimated EoL</TH>
</TR>
<TR>
<TD>RELENG_4</TD>
<TD>n/a</TD>
<TD>n/a</TD>
<TD>n/a</TD>
<TD>January 31, 2007</TD>
</TR>
<TR>
<TD>RELENG_4_10</TD>
<TD>4.10-RELEASE</TD>
<TD>Extended</TD>
<TD>May 27, 2004</TD>
<TD>May 31, 2006</TD>
</TR>
<TR>
<TD>RELENG_4_11</TD>
<TD>4.11-RELEASE</TD>
<TD>Extended</TD>
<TD>January 25, 2005</TD>
<TD>January 31, 2007</TD>
</TR>
<TR>
<TD>RELENG_5</TD>
<TD>n/a</TD>
<TD>n/a</TD>
<TD>n/a</TD>
<TD>May 31, 2007</TD>
</TR>
<TR>
<TD>RELENG_5_3</TD>
<TD>5.3-RELEASE</TD>
<TD>Extended</TD>
<TD>November 6, 2004</TD>
<TD>October 31, 2006</TD>
</TR>
<TR>
<TD>RELENG_5_4</TD>
<TD>5.4-RELEASE</TD>
<TD>Normal</TD>
<TD>May 9, 2005</TD>
<TD>May 31, 2006</TD>
</TR>
</TABLE>
<!--
Please also update www/en/releng/index.sgml when updating this
list of supported branches.
-->
<table class="tblbasic">
<tr>
<th>Branch</th>
<th>Release</th>
<th>Type</th>
<th>Release Date</th>
<th>Estimated EoL</th>
</tr>
<tr>
<td>RELENG_4</td>
<td>n/a</td>
<td>n/a</td>
<td>n/a</td>
<td>January 31, 2007</td>
</tr>
<tr>
<td>RELENG_4_10</td>
<td>4.10-RELEASE</td>
<td>Extended</td>
<td>May 27, 2004</td>
<td>May 31, 2006</td>
</tr>
<tr>
<td>RELENG_4_11</td>
<td>4.11-RELEASE</td>
<td>Extended</td>
<td>January 25, 2005</td>
<td>January 31, 2007</td>
</tr>
<tr>
<td>RELENG_5</td>
<td>n/a</td>
<td>n/a</td>
<td>n/a</td>
<td>May 31, 2007</td>
</tr>
<tr>
<td>RELENG_5_3</td>
<td>5.3-RELEASE</td>
<td>Extended</td>
<td>November 6, 2004</td>
<td>October 31, 2006</td>
</tr>
<tr>
<td>RELENG_5_4</td>
<td>5.4-RELEASE</td>
<td>Normal</td>
<td>May 9, 2005</td>
<td>May 31, 2006</td>
</tr>
</table>
<P>Older releases are not maintained and users are strongly encouraged
to upgrade to one of the supported releases mentioned above.</P>
<p>Older releases are not maintained and users are strongly
encouraged to upgrade to one of the supported releases mentioned
above.</p>
<P>Some statistics about advisories released during 2002:</P>
<UL>
<LI>44 advisories of varying severity were issued for the base system.</LI>
<LI>12 advisories described vulnerabilities found only in FreeBSD.
The remaining 32 were problems shared with at least one other OS
(often due to shared code).</LI>
<LI>6 security notices were issued, covering a total of 95 issues in
optional third party applications included in the Ports Collection.</LI>
</UL>
<p>Some statistics about advisories released during 2002:</p>
<P>Advisories are sent to the following FreeBSD mailing lists:</P>
<UL>
<LI>FreeBSD-security-notifications@FreeBSD.org</LI>
<LI>FreeBSD-security@FreeBSD.org</LI>
<LI>FreeBSD-announce@FreeBSD.org</LI>
</UL>
<ul>
<li>44 advisories of varying severity were issued for the base
system.</li>
<li>12 advisories described vulnerabilities found only in FreeBSD.
The remaining 32 were problems shared with at least one other OS
(often due to shared code).</li>
<P>Advisories are always signed using the FreeBSD Security Officer
<A HREF="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc"> PGP key
</A> and are archived, along with their associated patches, at our
<A HREF="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/index.html">FTP CERT
repository</A>. At the time of this writing, the following advisories are
currently available (note that this list may be a few days out of date -
for the very latest advisories please check the
<A HREF="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/">FTP site</A>):</P>
<li>6 security notices were issued, covering a total of 95 issues
in optional third party applications included in the Ports
Collection.</li>
</ul>
&advisories.html.inc;
<p>Advisories are sent to the following FreeBSD mailing lists:</p>
<ul>
<li>FreeBSD-security-notifications@FreeBSD.org</li>
<li>FreeBSD-security@FreeBSD.org</li>
<li>FreeBSD-announce@FreeBSD.org</li>
</ul>
&footer;
</body>
<p>Advisories are always signed using the FreeBSD Security Officer
<a href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">PGP
key</a> and are archived, along with their associated
patches, at our <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/index.html">FTP CERT
repository</a>. At the time of this writing, the following
advisories are currently available (note that this list may be a
few days out of date - for the very latest advisories please check
the <a href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/">FTP
site</a>):</p>
&advisories.html.inc;
&footer;
</body>
</html>