Like many production quality operating systems, FreeBSD publishes “Security
Advisories”. These advisories are usually mailed to the security lists and noted in
the Errata only after the appropriate releases have been patched. This section will work
to explain what an advisory is, how to understand it, and what measures to take in order
to patch a system.
The FreeBSD security advisories look similar to the one below, taken from the freebsd-security-notifications mailing list.
=============================================================================
FreeBSD-SA-XX:XX.UTIL Security Advisory
The FreeBSD Project
Topic: denial of service due to some problem
Category: core
Module: sys
Announced: 2003-09-23
Credits: Person@EMAIL-ADDRESS
Affects: All releases of FreeBSD
FreeBSD 4-STABLE prior to the correction date
Corrected: 2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39)
CVE Name: CVE-XXXX-XXXX
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
http://www.FreeBSD.org/security/.
I. Background
II. Problem Description
III. Impact(11)
IV. Workaround(12)
V. Solution(13)
VI. Correction details(14)
VII. References(15)
- The Topic field indicates exactly what the problem is. It is
basically an introduction to the current security advisory and notes the utility with the
vulnerability.
- The Category refers to the affected part of the system which
may be one of core, contrib, or ports. The core category means that the
vulnerability affects a core component of the FreeBSD operating system. The contrib category means that the vulnerability affects software
contributed to the FreeBSD Project, such as sendmail. Finally
the ports category indicates that the vulnerability affects add
on software available as part of the Ports Collection.
- The Module field refers to the component location, for
instance sys. In this example, we see that the module, sys, is affected; therefore, this vulnerability affects a component
used within the kernel.
- The Announced field reflects the date said security advisory
was published, or announced to the world. This means that the security team has verified
that the problem does exist and that a patch has been committed to the FreeBSD source
code repository.
- The Credits field gives credit to the individual or
organization who noticed the vulnerability and reported it.
- The Affects field explains which releases of FreeBSD are
affected by this vulnerability. For the kernel, a quick look over the output from ident on the affected files will help in determining the revision.
For ports, the version number is listed after the port name in /var/db/pkg. If the system does not sync with the FreeBSD CVS repository and rebuild daily, chances are that it is
affected.
- The Corrected field indicates the date, time, time offset,
and release that was corrected.
- Reserved for the identification information used to look up vulnerabilities in the
Common Vulnerabilities Database system.
- The Background field gives information on exactly what the
affected utility is. Most of the time this is why the utility exists in FreeBSD, what it
is used for, and a bit of information on how the utility came to be.
- The Problem Description field explains the security hole in
depth. This can include information on flawed code, or even how the utility could be
maliciously used to open a security hole.
- (11)
- The Impact field describes what type of impact the problem
could have on a system. For example, this could be anything from a denial of service
attack, to extra privileges available to users, or even giving the attacker superuser
access.
- (12)
- The Workaround field offers a feasible workaround to system
administrators who may be incapable of upgrading the system. This may be due to time
constraints, network availability, or a slew of other reasons. Regardless, security
should not be taken lightly, and an affected system should either be patched or the
security hole workaround should be implemented.
- (13)
- The Solution field offers instructions on patching the
affected system. This is a step by step tested and verified method for getting a system
patched and working securely.
- (14)
- The Correction Details field displays the CVS branch or release name with the periods changed to
underscore characters. It also shows the revision number of the affected files within
each branch.
- (15)
- The References field usually offers sources of other
information. This can included web URLs, books,
mailing lists, and newsgroups.