Vulnerabilities in GhostBSD10.1-BETA2-2 Mate!

Installing and maintaining software with the FreeBSD Ports Collection.

Vulnerabilities in GhostBSD10.1-BETA2-2 Mate!

Postby erno » Tue Sep 01, 2015 3:31 pm

Greetings to all!


How to update the system and its applications in GhostBSD10.1-BETA2-2 Mate? There are many vulnerabilities in GhostBSD10.1-BETA2-2 Mate. I would also like to know, where is the X.org configuration file? There is a small window of error when entering the desktop Mate. :)

Code: Select all
# pkg audit -F
vulnxml file up-to-date
libvpx-1.4.0 is vulnerable:
libvpx -- multiple buffer overflows
CVE: CVE-2015-4486
CVE: CVE-2015-4485
WWW: https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html

jasper-1.900.1_14 is vulnerable:
jasper -- multiple vulnerabilities
CVE: CVE-2015-5221
CVE: CVE-2015-5203
WWW: https://vuxml.FreeBSD.org/freebsd/f1692469-45ce-11e5-adde-14dae9d210b8.html

gnutls-3.3.15 is vulnerable:
gnutls -- double free in certificate DN decoding
CVE: CVE-2015-6251
WWW: https://vuxml.FreeBSD.org/freebsd/ec6a2a1e-429d-11e5-9daa-14dae9d210b8.html

libidn-1.29 is vulnerable:
libidn -- out-of-bounds read issue with invalid UTF-8 input
CVE: CVE-2015-2059
WWW: https://vuxml.FreeBSD.org/freebsd/4caf01e2-30e6-11e5-a4a5-002590263bf5.html

gdk-pixbuf2-2.31.2_1 is vulnerable:
gdk-pixbuf2 -- heap overflow and DoS
CVE: CVE-2015-4491
WWW: https://vuxml.FreeBSD.org/freebsd/f5b8b670-465c-11e5-a49d-bcaec565249c.html

gdk-pixbuf2-2.31.2_1 is vulnerable:
gdk-pixbuf2 -- heap overflow and DoS affecting Firefox and other programs
WWW: https://vuxml.FreeBSD.org/freebsd/95eee71d-3068-11e5-a9b5-bcaec565249c.html

firefox-38.0.6,1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4000
CVE: CVE-2015-2743
CVE: CVE-2015-2742
CVE: CVE-2015-2741
CVE: CVE-2015-2740
CVE: CVE-2015-2739
CVE: CVE-2015-2738
CVE: CVE-2015-2737
CVE: CVE-2015-2736
CVE: CVE-2015-2735
CVE: CVE-2015-2734
CVE: CVE-2015-2733
CVE: CVE-2015-2731
CVE: CVE-2015-2730
CVE: CVE-2015-2729
CVE: CVE-2015-2728
CVE: CVE-2015-2727
CVE: CVE-2015-2726
CVE: CVE-2015-2725
CVE: CVE-2015-2724
CVE: CVE-2015-2722
CVE: CVE-2015-2721
WWW: https://vuxml.FreeBSD.org/freebsd/44d9daee-940c-4179-86bb-6e3ffd617869.html

firefox-38.0.6,1 is vulnerable:
libvpx -- multiple buffer overflows
CVE: CVE-2015-4486
CVE: CVE-2015-4485
WWW: https://vuxml.FreeBSD.org/freebsd/34e60332-2448-4ed6-93f0-12713749f250.html

firefox-38.0.6,1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4493
CVE: CVE-2015-4492
CVE: CVE-2015-4491
CVE: CVE-2015-4490
CVE: CVE-2015-4489
CVE: CVE-2015-4488
CVE: CVE-2015-4487
CVE: CVE-2015-4484
CVE: CVE-2015-4483
CVE: CVE-2015-4482
CVE: CVE-2015-4481
CVE: CVE-2015-4480
CVE: CVE-2015-4479
CVE: CVE-2015-4478
CVE: CVE-2015-4477
CVE: CVE-2015-4475
CVE: CVE-2015-4474
CVE: CVE-2015-4473
WWW: https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html

firefox-38.0.6,1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4498
CVE: CVE-2015-4497
WWW: https://vuxml.FreeBSD.org/freebsd/237a201c-888b-487f-84d3-7d92266381d6.html

firefox-38.0.6,1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4495
WWW: https://vuxml.FreeBSD.org/freebsd/8eee06d4-c21d-4f07-a669-455151ff426f.html

pcre-8.37_1 is vulnerable:
pcre -- Heap Overflow Vulnerability in find_fixedlength()
CVE: CVE-2015-5073
WWW: https://vuxml.FreeBSD.org/freebsd/8a1d0e63-1e07-11e5-b43d-002590263bf5.html

pcre-8.37_1 is vulnerable:
pcre -- heap overflow vulnerability in '(?|' situations
WWW: https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html

pcre-8.37_1 is vulnerable:
pcre -- heap overflow vulnerability
WWW: https://vuxml.FreeBSD.org/freebsd/6900e6f1-4a79-11e5-9ad8-14dae9d210b8.html

thunderbird-31.7.0_1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4000
CVE: CVE-2015-2743
CVE: CVE-2015-2742
CVE: CVE-2015-2741
CVE: CVE-2015-2740
CVE: CVE-2015-2739
CVE: CVE-2015-2738
CVE: CVE-2015-2737
CVE: CVE-2015-2736
CVE: CVE-2015-2735
CVE: CVE-2015-2734
CVE: CVE-2015-2733
CVE: CVE-2015-2731
CVE: CVE-2015-2730
CVE: CVE-2015-2729
CVE: CVE-2015-2728
CVE: CVE-2015-2727
CVE: CVE-2015-2726
CVE: CVE-2015-2725
CVE: CVE-2015-2724
CVE: CVE-2015-2722
CVE: CVE-2015-2721
WWW: https://vuxml.FreeBSD.org/freebsd/44d9daee-940c-4179-86bb-6e3ffd617869.html

thunderbird-31.7.0_1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2015-4493
CVE: CVE-2015-4492
CVE: CVE-2015-4491
CVE: CVE-2015-4490
CVE: CVE-2015-4489
CVE: CVE-2015-4488
CVE: CVE-2015-4487
CVE: CVE-2015-4484
CVE: CVE-2015-4483
CVE: CVE-2015-4482
CVE: CVE-2015-4481
CVE: CVE-2015-4480
CVE: CVE-2015-4479
CVE: CVE-2015-4478
CVE: CVE-2015-4477
CVE: CVE-2015-4475
CVE: CVE-2015-4474
CVE: CVE-2015-4473
WWW: https://vuxml.FreeBSD.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html

8 problem(s) in the installed packages found.
#


This is the error that comes out in the virtualbox machine upon entering the desktop:

Code: Select all
VBoxClient:Initialising service:VERR_INTERNAL_ERROR


System message:

Code: Select all
# uname -a
FreeBSD pc.ghostbsd-pc.home 10.1-RELEASE FreeBSD 10.1-RELEASE #0: Wed Jul  1 23:42:39 ADT 2015     root@ericbsd.ghostbsd.org:/usr/obj/mk/usr/src/sys/GENERIC  amd64
#
erno
 
Posts: 9
Joined: Tue Jul 14, 2015 8:38 pm
Has thanked: 0 time
Been thanked: 0 time

Vulnerabilities in GhostBSD10.1-BETA2-2 Mate!


Re: Vulnerabilities in GhostBSD10.1-BETA2-2 Mate!

Postby ASX » Wed Sep 02, 2015 12:49 pm

hi,

"System" can be updated using:
Code: Select all
freebsd-update fetch
freebsd-update install

Before to apply the updates, please READ the following thread, because unfortunately the update will result in a system lock-up:
https://www.freebsd.org/security/adviso ... 05.ufs.asc

To check the system version for kernel and world respectively:
freebsd-version -k
freebsd-version -u

The reported version may differ, with the kernel apparently older than the world, that is perfectly fine because the kernel version is bumped only if the update affect the kernel itself.

packages can be updated using
Code: Select all
pkg upgrade


The file xorg.conf may not exists, because current version of Xorg server does the configuration automatically, if you want to manually add your xorg.conf file that would be in /etc/X11. (log file is /var/log/Xorg.0.log)

The VBoxClient error depend on an upstream bug in "virtualbox-ose-guestadditions": if you are running your system on real hardware (as opposed to a vbox guest) you could remove that package because it is not needed outside a vbox guest.
ASX
Developer
 
Posts: 620
Joined: Wed May 06, 2015 3:46 pm
Location: ITALY
Has thanked: 28 times
Been thanked: 58 times

Re: Vulnerabilities in GhostBSD10.1-BETA2-2 Mate!

Postby erno » Wed Sep 02, 2015 1:50 pm

ASX wrote:Before to apply the updates, please READ the following thread, because unfortunately the update will result in a system lock-up:
https://www.freebsd.org/security/adviso ... 05.ufs.asc

To check the system version for kernel and world respectively:

The reported version may differ, with the kernel apparently older than the world, that is perfectly fine because the kernel version is bumped only if the update affect the kernel itself.
packages can be updated using

The file xorg.conf may not exists, because current version of Xorg server does the configuration automatically, if you want to manually add your xorg.conf file that would be in /etc/X11. (log file is /var/log/Xorg.0.log)

The VBoxClient error depend on an upstream bug in "virtualbox-ose-guestadditions": if you are running your system on real hardware (as opposed to a vbox guest) you could remove that package because it is not needed outside a vbox guest.


Complicated update the system by using this link, to verify the version not? Generate problems to the update GhostBSD 10.1 BETA 2 Mate to incompatibility with FreeBSD 10.2 RELEASE.

The kernel version is:
Code: Select all
# freebsd-version -k
10.1-RELEASE
#

Or:
Code: Select all
# freebsd-version -u
10.1-RELEASE
#

Is GhostBSD a guest running in virtualbox, as I proceed to remove that package mentioned and causing the error? Thanks for your reply. :)
erno
 
Posts: 9
Joined: Tue Jul 14, 2015 8:38 pm
Has thanked: 0 time
Been thanked: 0 time

Re: Vulnerabilities in GhostBSD10.1-BETA2-2 Mate!

Postby ASX » Wed Sep 02, 2015 2:17 pm

Yes, it is a somewhat complicated update, but that is the only known workaround actually, and that doesn't depend from us.

I feel the need to clarify that the instruction provided before will NOT update the system to 10.2-RELEASE but only to 10.1-RELEASE-p18 where -p18 is for "patch level 18".

The update to 10.2 is still possible, but require different commands. (and I already know there could be some problem at the moment due to some missing dependency in 10.2, so avoid it entirely for now.)

~~~

About the vbox guest: you are the only one who knows where is running your GhostBSD installation:
- on a hardware PC/Desktop/Laptop/Server
- Inside Oracle Virtualbox which is an "emulated environment" (a virtual computer) running on top of another OS.
(Or I'm misunderstanding your question ...)
ASX
Developer
 
Posts: 620
Joined: Wed May 06, 2015 3:46 pm
Location: ITALY
Has thanked: 28 times
Been thanked: 58 times

Re: Vulnerabilities in GhostBSD10.1-BETA2-2 Mate!

Postby erno » Wed Sep 02, 2015 2:41 pm

ASX wrote:Yes, it is a somewhat complicated update, but that is the only known workaround actually, and that doesn't depend from us.

I feel the need to clarify that the instruction provided before will NOT update the system to 10.2-RELEASE but only to 10.1-RELEASE-p18 where -p18 is for "patch level 18".

About the vbox guest: you are the only one who knows where is running your GhostBSD installation:
- on a hardware PC/Desktop/Laptop/Server
- Inside Oracle Virtualbox which is an "emulated environment" (a virtual computer) running on top of another OS.
(Or I'm misunderstanding your question ...)

After installing the system update, I proceeded thus:

Code: Select all
# fetch https://security.FreeBSD.org/patches/EN-15:05/ufs.patch
fetch: https://security.FreeBSD.org/patches/EN-15:05/ufs.patch: size of remote file is not known
ufs.patch                                             9811  B   20 MBps 00m00s
#

And:
Code: Select all
# fetch https://security.FreeBSD.org/patches/EN-15:05/ufs.patch.asc
fetch: https://security.FreeBSD.org/patches/EN-15:05/ufs.patch.asc: size of remote file is not known
ufs.patch.asc                                          833  B 4047 kBps 00m00s
#

To verify the signature of the utility PGP, i get this of:
Code: Select all
# gpg --verify ufs.patch.asc
gpg: directory '/root/.gnupg' created
gpg: new configuration file '/root/.gnupg/gpg.conf' created
gpg: WARNING: options in '/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: assuming signed data in 'ufs.patch'
gpg: Firmado el jue 14 may 00:59:54 2015 CEST usando clave RSA ID 5DCF6AE7
gpg: Imposible comprobar la firma: No public key 
#

What must I do? Then I did this, and this was the exit

Code: Select all
# cd /usr/src
# patch < /path/to/patch
/path/to/patch: No such file or directory.
#


It is a portable PC which this installed virtualbox, please do not be berry, help me! :roll:
erno
 
Posts: 9
Joined: Tue Jul 14, 2015 8:38 pm
Has thanked: 0 time
Been thanked: 0 time

Re: Vulnerabilities in GhostBSD10.1-BETA2-2 Mate!

Postby beasty_fan_gams » Fri Jan 08, 2016 12:49 am

erno wrote:What must I do? Then I did this, and this was the exit

Code: Select all
# cd /usr/src
# patch < /path/to/patch
/path/to/patch: No such file or directory.
#



It is a portable PC which this installed virtualbox, please do not be berry, help me!


erno, if that isn't a prank, you should do something like this, I guess that you downloaded the patch to the root ~, or to the root folder (I dont remember if it is: /root but i go to say that is so) but let us say by example that you downloaded the patch on /root, then you must type some like:

Code: Select all
# cd /usr/src
##this beneath is patch < /path/to/patch
# patch < /root/ufs.patch


just put "patch <" space and the path where you saved the patch.


Or you just get me on a joke... lol xDD
beasty_fan_gams
 
Posts: 1
Joined: Fri Jan 08, 2016 12:38 am
Has thanked: 0 time
Been thanked: 0 time

Re: Vulnerabilities in GhostBSD10.1-BETA2-2 Mate!

Postby Osawakaten » Tue Jan 12, 2016 3:03 am

but require different commands.
เล่น gclub ผ่านเว็บ
Osawakaten
 
Posts: 3
Joined: Sat Aug 22, 2015 4:18 am
Has thanked: 0 time
Been thanked: 0 time


Return to Installation and Maintenance of software with Ports

Who is online

Users browsing this forum: No registered users and 1 guest

cron