A very important and urgent step to take as early after a security vulnerability is discovered as possible is to notify the community of port users about the jeopardy. Such notification serves two purposes. First, if the danger is really severe it will be wise to apply an instant workaround. For example, stop the affected network service or even deinstall the port completely until the vulnerability is closed. Second, a lot of users tend to upgrade installed packages only occasionally. They will know from the notification that they must update the package without delay as soon as a corrected version is available.
Given the huge number of ports in the tree, a security advisory cannot be issued on each incident without creating a flood and losing the attention of the audience when it comes to really serious matters. Therefore security vulnerabilities found in ports are recorded in the FreeBSD VuXML database. The Security Officer Team members also monitor it for issues requiring their intervention.
Committers can update the VuXML database themselves, assisting the Security Officer Team and delivering crucial information to the community more quickly. Those who are not committers or have discovered an exceptionally severe vulnerability should not hesitate to contact the Security Officer Team directly, as described on the FreeBSD Security Information page.
The VuXML database is an XML document.
Its source file vuln.xml
is kept right
inside the port security/vuxml.
Therefore the file's full pathname will be
PORTSDIR/security/vuxml/vuln.xml
. Each
time a security vulnerability is discovered in a port, please
add an entry for it to that file. Until familiar with
VuXML, the best thing to do is to find an existing entry
fitting the case at hand, then copy it and use it as a
template.
The full-blown XML format is complex, and far beyond the scope of this book. However, to gain basic insight on the structure of a VuXML entry only the notion of tags is needed. XML tag names are enclosed in angle brackets. Each opening <tag> must have a matching closing </tag>. Tags may be nested. If nesting, the inner tags must be closed before the outer ones. There is a hierarchy of tags, that is, more complex rules of nesting them. This is similar to HTML. The major difference is that XML is eXtensible, that is, based on defining custom tags. Due to its intrinsic structure XML puts otherwise amorphous data into shape. VuXML is particularly tailored to mark up descriptions of security vulnerabilities.
Now consider a realistic VuXML entry:
<vuln vid="f4bc80f4-da62-11d8-90ea-0004ac98a7b9"> <topic>Several vulnerabilities found in Foo</topic> <affects> <package> <name>foo</name> <name>foo-devel</name> <name>ja-foo</name> <range><ge>1.6</ge><lt>1.9</lt></range> <range><ge>2.*</ge><lt>2.4_1</lt></range> <range><eq>3.0b1</eq></range> </package> <package> <name>openfoo</name> <range><lt>1.10_7</lt></range> <range><ge>1.2,1</ge><lt>1.3_1,1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>J. Random Hacker reports:</p> <blockquote cite="http://j.r.hacker.com/advisories/1"> <p>Several issues in the Foo software may be exploited via carefully crafted QUUX requests. These requests will permit the injection of Bar code, mumble theft, and the readability of the Foo administrator account.</p> </blockquote> </body> </description> <references> <freebsdsa>SA-10:75.foo</freebsdsa> <freebsdpr>ports/987654</freebsdpr> <cvename>CAN-2010-0201</cvename> <cvename>CAN-2010-0466</cvename> <bid>96298</bid> <certsa>CA-2010-99</certsa> <certvu>740169</certvu> <uscertsa>SA10-99A</uscertsa> <uscertta>SA10-99A</uscertta> <mlist msgid="201075606@hacker.com">http://marc.theaimsgroup.com/?l=bugtraq&m=203886607825605</mlist> <url>http://j.r.hacker.com/advisories/1</url> </references> <dates> <discovery>2010-05-25</discovery> <entry>2010-07-13</entry> <modified>2010-09-17</modified> </dates> </vuln>
The tag names are supposed to be self-explanatory so we shall take a closer look only at fields which needs to be filled in:
This is the top-level tag of a VuXML entry. It has a
mandatory attribute, | |
This is a one-line description of the issue found. | |
The names of packages affected are listed there. Multiple names can be given since several packages may be based on a single master port or software product. This may include stable and development branches, localized versions, and slave ports featuring different choices of important build-time configuration options. Important:It is the submitter's responsibility to find all
such related packages when writing a VuXML entry. Keep
in mind that
| |
Affected versions of the package(s) are specified
there as one or more ranges using a combination of
In a range specification, The above example specifies that affected are versions
| |
Several related package groups (essentially, ports)
can be listed in the | |
The version ranges have to allow for
| |
This is a summary of the issue. XHTML is used in this
field. At least enclosing | |
This section contains references to relevant documents. As many references as apply are encouraged. | |
This is a FreeBSD security advisory. | |
This is a FreeBSD problem report. | |
This is a MITRE CVE identifier. | |
This is a SecurityFocus Bug ID. | |
This is a US-CERT security advisory. | |
This is a US-CERT vulnerability note. | |
This is a US-CERT Cyber Security Alert. | |
This is a US-CERT Technical Cyber Security Alert. | |
This is a URL to an archived posting in a mailing
list. The attribute | |
This is a generic URL. Only it if none of the other reference categories apply. | |
This is the date when the issue was disclosed
( | |
This is the date when the entry was added
( | |
This is the date when any information in the entry was
last modified ( |
This example describes a new entry for a vulnerability in
the package dropbear
that has been fixed in
version dropbear-2013.59
.
As a prerequisite, install a fresh version of security/vuxml port.
First, check whether there already is an entry for this
vulnerability. If there were such an entry, it would match
the previous version of the package,
2013.58
:
%
pkg audit dropbear-2013.58
If there is none found, add a new entry for this vulnerability.
%
cd ${PORTSDIR}/security/vuxml
%
make newentry
Verify its syntax and formatting:
%
make validate
At least one of these packages needs to be installed: textproc/libxml2, textproc/jade.
Verify that the <affected>
section of the entry will match the correct packages:
%
pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58
Make sure that the entry produces no spurious matches in the output.
Now check whether the right package versions are matched by the entry:
%
pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58 dropbear-2013.59
dropbear-2012.58 is vulnerable: dropbear -- exposure of sensitive information, DoS CVE: CVE-2013-4434 CVE: CVE-2013-4421 WWW: http://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html 1 problem(s) in the installed packages found.
The former version matches while the latter one does not.
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.