diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-06:15.ypserv.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-06:15.ypserv.asc | 130 |
1 files changed, 0 insertions, 130 deletions
diff --git a/share/security/advisories/FreeBSD-SA-06:15.ypserv.asc b/share/security/advisories/FreeBSD-SA-06:15.ypserv.asc deleted file mode 100644 index 942010338d..0000000000 --- a/share/security/advisories/FreeBSD-SA-06:15.ypserv.asc +++ /dev/null @@ -1,130 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -============================================================================= -FreeBSD-SA-06:15.ypserv Security Advisory - The FreeBSD Project - -Topic: Inoperative access controls in ypserv(8) - -Category: core -Module: ypserv -Announced: 2006-05-31 -Credits: Hokan -Affects: All FreeBSD 5.x and FreeBSD 6.x releases -Corrected: 2006-05-31 22:31:21 UTC (RELENG_6, 6.1-STABLE) - 2006-05-31 22:31:42 UTC (RELENG_6_1, 6.1-RELEASE-p1) - 2006-05-31 22:32:04 UTC (RELENG_6_0, 6.0-RELEASE-p8) - 2006-05-31 22:32:22 UTC (RELENG_5, 5.5-STABLE) - 2006-05-31 22:32:49 UTC (RELENG_5_5, 5.5-RELEASE-p1) - 2006-05-31 22:33:17 UTC (RELENG_5_4, 5.4-RELEASE-p15) - 2006-05-31 22:33:41 UTC (RELENG_5_3, 5.3-RELEASE-p30) -CVE Name: CVE-2006-2655 - -For general information regarding FreeBSD Security Advisories, -including descriptions of the fields above, security branches, and the -following sections, please visit -<URL:http://www.freebsd.org/security/>. - -I. Background - -The ypserv(8) utility is a server which distributes NIS databases to client -systems within an NIS domain. - -II. Problem Description - -There are two documented methods of restricting access to NIS maps through -ypserv(8): through the use of the /var/yp/securenets file, and through the -/etc/hosts.allow file. While both mechanisms are implemented in the server, -a change in the build process caused the "securenets" access restrictions -to be inadvertantly disabled. - -III. Impact - -ypserv(8) will not load or process any of the networks or hosts specified in -the /var/yp/securenets file, rendering those access controls ineffective. - -IV. Workaround - -One possible workaround is to use /etc/hosts.allow for access control, as -shown by examples in that file. - -Another workaround is to use a firewall (e.g., ipfw(4), ipf(4), or pf(4)) -to limit access to RPC functions from untrusted systems or networks, but -due to the complexities of RPC, it might be difficult to create a set of -firewall rules which accomplish this without blocking all access to the -machine in question. - -V. Solution - -Perform one of the following: - -1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the -RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, or RELENG_5_3 security -branch dated after the correction date. - -2) To patch your present system: - -The following patches have been verified to apply to FreeBSD 5.3, 5.4, -5.5, 6.0, and 6.1 systems. - -a) Download the relevant patch from the location below, and verify the -detached PGP signature using your PGP utility. - -# fetch http://security.FreeBSD.org/patches/SA-06:15/ypserv.patch -# fetch http://security.FreeBSD.org/patches/SA-06:15/ypserv.patch.asc - -b) Execute the following commands as root: - -# cd /usr/src -# patch < /path/to/patch -# cd /usr/src/usr.sbin/ypserv -# make obj && make depend && make && make install - -VI. Correction details - -The following list contains the revision numbers of each file that was -corrected in FreeBSD. - -Branch Revision - Path -- ------------------------------------------------------------------------- -RELENG_5 - src/usr.sbin/ypserv/yp_access.c 1.22.6.1 -RELENG_5_5 - src/UPDATING 1.342.2.35.2.1 - src/sys/conf/newvers.sh 1.62.2.21.2.3 - src/usr.sbin/ypserv/yp_access.c 1.22.18.1 -RELENG_5_4 - src/UPDATING 1.342.2.24.2.24 - src/sys/conf/newvers.sh 1.62.2.18.2.20 - src/usr.sbin/ypserv/yp_access.c 1.22.10.1 -RELENG_5_3 - src/UPDATING 1.342.2.13.2.33 - src/sys/conf/newvers.sh 1.62.2.15.2.35 - src/usr.sbin/ypserv/yp_access.c 1.22.8.1 -RELENG_6 - src/usr.sbin/ypserv/yp_access.c 1.22.12.1 -RELENG_6_1 - src/UPDATING 1.416.2.22.2.3 - src/sys/conf/newvers.sh 1.69.2.11.2.3 - src/usr.sbin/ypserv/yp_access.c 1.22.16.1 -RELENG_6_0 - src/UPDATING 1.416.2.3.2.13 - src/sys/conf/newvers.sh 1.69.2.8.2.9 - src/usr.sbin/ypserv/yp_access.c 1.22.14.1 -- ------------------------------------------------------------------------- - -VII. References - -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2655 - -The latest revision of this advisory is available at -http://security.FreeBSD.org/advisories/FreeBSD-SA-06:15.ypserv.asc ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.3 (FreeBSD) - -iD8DBQFEfhuUFdaIBMps37IRAhH5AJ9cpTLcR+aWSRPUa1zUDYThhKDqowCggYr1 -4OyjFHW/C+NB9nMIX8Wf7IE= -=NNUN ------END PGP SIGNATURE----- |