Debian Bug report logs -
#778367
kfreebsd-10: CVE-2014-7250 resource consumption issue
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#778367; Package src:kfreebsd-10.
(Sat, 14 Feb 2015 04:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
New Bug report received and forwarded. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>.
(Sat, 14 Feb 2015 04:12:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: src:kfreebsd-10
severity: important
tags: security
Hi,
the following vulnerability was published for kfreebsd-10.
CVE-2014-7250[0]:
| The TCP stack in 4.3BSD Net/2, as used in FreeBSD 5.4, NetBSD possibly
| 2.0, and OpenBSD possibly 3.6, does not properly implement the session
| timer, which allows remote attackers to cause a denial of service
| (resource consumption) via crafted packets.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-7250
Note that the versions mentioned in the advisory are really old
(freebsd 5.4), but unfortunately there aren't enough details yet to
actually check.
Best wishes,
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#778367; Package src:kfreebsd-10.
(Sat, 14 Feb 2015 12:27:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>.
(Sat, 14 Feb 2015 12:27:12 GMT) (full text, mbox, link).
Message #10 received at 778367@bugs.debian.org (full text, mbox, reply):
forwarded 778367 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195243
tags 778367 + moreinfo
thanks
Hi,
Michael Gilbert wrote:
> Note that the versions mentioned in the advisory are really old
> (freebsd 5.4), but unfortunately there aren't enough details yet to
> actually check.
There are barely any details at all:
http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000134.html
It is an "issue in the handling of the TCP session timer, which may
lead to a denial-of-service".
"When a sepcially crafted packet from a malicious server is received,
a condition where client resources are not released may occur".
https://jvn.jp/en/jp/JVN07930208/index.html
"This JVN publication was delayed to 2014/11/21 after developer fixes
were developed"; only a few proprietary systems are mentioned as
'not vulnerable'.
On the day of publication, the FreeBSD bug was opened by a third party
with still no additional details. It doesn't seem that JVN notified
OpenBSD either.
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Added tag(s) moreinfo.
Request was from Steven Chamberlain <steven@pyro.eu.org>
to control@bugs.debian.org.
(Sat, 14 Feb 2015 12:27:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:03:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon