Like many production quality operating systems, FreeBSD publishes „Security Advisories”. These advisories are usually mailed to the security lists and noted in the Errata only after the appropriate releases have been patched. This section will work to explain what an advisory is, how to understand it, and what measures to take in order to patch a system.
The FreeBSD security advisories look similar to the one below, taken from the freebsd-security-notifications mailing list.
============================================================================= FreeBSD-SA-XX:XX.UTIL Security Advisory The FreeBSD Project Topic: denial of service due to some problemCategory: core
Module: sys
Announced: 2003-09-23
Credits: Person@EMAIL-ADDRESS
Affects: All releases of FreeBSD
FreeBSD 4-STABLE prior to the correction date Corrected: 2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE) 2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6) 2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15) 2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8) 2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18) 2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21) 2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33) 2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43) 2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39)
CVE Name: CVE-XXXX-XXXX
For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit http://www.FreeBSD.org/security/. I. Background
II. Problem Description
III. Impact
IV. Workaround
V. Solution
VI. Correction details
VII. References
![]()
The
Topic
field indicates exactly what the problem is. It is basically an introduction to the current security advisory and notes the utility with the vulnerability.The
Category
refers to the affected part of the system which may be one ofcore
,contrib
, orports
. Thecore
category means that the vulnerability affects a core component of the FreeBSD operating system. Thecontrib
category means that the vulnerability affects software contributed to the FreeBSD Project, such as sendmail. Finally theports
category indicates that the vulnerability affects add on software available as part of the Ports Collection.The
Module
field refers to the component location, for instancesys
. In this example, we see that the module,sys
, is affected; therefore, this vulnerability affects a component used within the kernel.The
Announced
field reflects the date said security advisory was published, or announced to the world. This means that the security team has verified that the problem does exist and that a patch has been committed to the FreeBSD source code repository.The
Credits
field gives credit to the individual or organization who noticed the vulnerability and reported it.The
Affects
field explains which releases of FreeBSD are affected by this vulnerability. For the kernel, a quick look over the output fromident
on the affected files will help in determining the revision. For ports, the version number is listed after the port name in/var/db/pkg
. If the system does not sync with the FreeBSD CVS repository and rebuild daily, chances are that it is affected.The
Corrected
field indicates the date, time, time offset, and release that was corrected.Reserved for the identification information used to look up vulnerabilities in the Common Vulnerabilities Database system.
The
Background
field gives information on exactly what the affected utility is. Most of the time this is why the utility exists in FreeBSD, what it is used for, and a bit of information on how the utility came to be.The
Problem Description
field explains the security hole in depth. This can include information on flawed code, or even how the utility could be maliciously used to open a security hole.The
Impact
field describes what type of impact the problem could have on a system. For example, this could be anything from a denial of service attack, to extra privileges available to users, or even giving the attacker superuser access.The
Workaround
field offers a feasible workaround to system administrators who may be incapable of upgrading the system. This may be due to time constraints, network availability, or a slew of other reasons. Regardless, security should not be taken lightly, and an affected system should either be patched or the security hole workaround should be implemented.The
Solution
field offers instructions on patching the affected system. This is a step by step tested and verified method for getting a system patched and working securely.The
Correction Details
field displays the CVS branch or release name with the periods changed to underscore characters. It also shows the revision number of the affected files within each branch.The
References
field usually offers sources of other information. This can included web URLs, books, mailing lists, and newsgroups.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.