15.13. FreeBSD Security Advisories

Contributed by Tom Rhodes.

Like many production quality operating systems, FreeBSD publishes Security Advisories. These advisories are usually mailed to the security lists and noted in the Errata only after the appropriate releases have been patched. This section explains what an advisory is, how to understand it, and what measures to take in order to patch a system.

15.13.1. What Does an Advisory Look Like?

FreeBSD security advisories use the format seen in this example:

============================================================================= FreeBSD-SA-XX:XX.UTIL Security Advisory The FreeBSD Project Topic: denial of service due to some problem 1 Category: core 2 Module: sys 3 Announced: 2003-09-23 4 Credits: Person 5 Affects: All releases of FreeBSD 6 FreeBSD 4-STABLE prior to the correction date Corrected: 2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE) 2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6) 2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15) 2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8) 2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18) 2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21) 2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33) 2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43) 2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39) 7 CVE Name: CVE-XXXX-XXXX 8 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit http://www.FreeBSD.org/security/. I. Background 9 II. Problem Description 10 III. Impact 11 IV. Workaround 12 V. Solution 13 VI. Correction details 14 VII. References 15


The Topic field specifies the problem. It provides an introduction to the security advisory and notes the utility affected by the vulnerability.


The Category refers to the affected part of the system which may be one of core, contrib, or ports. The core category means that the vulnerability affects a core component of the FreeBSD operating system. The contrib category means that the vulnerability affects software contributed to the FreeBSD Project, such as Sendmail. The ports category indicates that the vulnerability affects add on software available through the Ports Collection.


The Module field refers to the component location. In this example, the sys module is affected; therefore, this vulnerability affects a component used within the kernel.


The Announced field reflects the date the security advisory was published, or announced to the world. This means that the security team has verified that the problem exists and that a patch has been committed to the FreeBSD source code repository.


The Credits field gives credit to the individual or organization who noticed the vulnerability and reported it.


The Affects field explains which releases of FreeBSD are affected by this vulnerability. For the kernel, a quick look over the output from ident(1) on the affected files will help in determining the revision. For ports, the version number is listed after the port name in /var/db/pkg. If the system does not sync with the FreeBSD Subversion repository and is not rebuilt daily, chances are that it is affected.


The Corrected field indicates the date, time, time offset, and release that was corrected.


Reserved for the identification information used to look up vulnerabilities in the Common Vulnerabilities and Exposures database.


The Background field gives information about the affected utility. Most of the time this is why the utility exists in FreeBSD, what it is used for, and a bit of information on how the utility came to be.


The Problem Description field explains the security hole in depth. This can include information on flawed code, or even how the utility could be maliciously used to open a security hole.


The Impact field describes what type of impact the problem could have on a system. For example, this could be anything from a denial of service attack, to extra privileges available to users, or even giving the attacker superuser access.


The Workaround field offers a workaround to system administrators who cannot upgrade the system due to time constraints, network availability, or other reasons. Security should not be taken lightly, and an affected system should either be patched or the workaround implemented.


The Solution field offers instructions for patching the affected system. This is a step by step tested and verified method for getting a system patched and working securely.


The Correction Details field displays the Subversion branch or release name with the periods changed to underscore characters. It also shows the revision number of the affected files within each branch.


The References field usually offers sources of other information. This can include web URLs, books, mailing lists, and newsgroups.

All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/

Questions that are not answered by the documentation may be sent to <freebsd-questions@FreeBSD.org>.

Send questions about this document to <freebsd-doc@FreeBSD.org>.