From owner-freebsd-announce@freebsd.org Tue Apr 11 17:24:05 2017 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DBFB0D393DD for ; Tue, 11 Apr 2017 17:24:05 +0000 (UTC) (envelope-from annefreebsd@gmail.com) Received: from mail-io0-f195.google.com (mail-io0-f195.google.com [209.85.223.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B4A6B1B4E for ; Tue, 11 Apr 2017 17:24:05 +0000 (UTC) (envelope-from annefreebsd@gmail.com) Received: by mail-io0-f195.google.com with SMTP id x86so1639240ioe.3 for ; Tue, 11 Apr 2017 10:24:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=TXQ7EUQpwQw0DtGa45wMzIJVkmYFv+I7+63iSmBS7MM=; b=tr9WrGK7cz6xUgm4eC2JLeg7wCJzChR8yTtuzMudg4gzTMHDXAHCwE7JhCsFCtBYk4 0towshdRJR0PW5W56KBGIm15AWa/T8y+WMG96zPGxklDiGH3YpFS2+Zib2x+b0/8unKi aAoory/lHh6hJTT1F3gzhWak2dKH1oGgwLXpj0/VzeLxEZp3kFJuhd2v2En0NOiAOt6z 1P9twoHYaciPW+AbFBvDP8PESSTQ7vNax1o3haLHVFk7ym4D0+uvcrndRWd8WveKFQOH 0nL/v8h319hsd2K/kbjEkZuxL5jxhCVgyvsybykN7BXLUC+9tVv1xsVQ2ImIbB3fwlsT nKug== X-Gm-Message-State: AN3rC/7+hdJB2lfPirOu2wkCDm1WKVoU/+TKwilz4hKDQP7afXaG1XM2K4iWtbv+QaQQiw== X-Received: by 10.36.91.67 with SMTP id g64mr18147684itb.20.1491930982460; Tue, 11 Apr 2017 10:16:22 -0700 (PDT) Received: from [10.0.0.137] (c-98-220-25-176.hsd1.il.comcast.net. [98.220.25.176]) by smtp.gmail.com with ESMTPSA id e9sm1157837ite.15.2017.04.11.10.16.21 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 11 Apr 2017 10:16:21 -0700 (PDT) From: Anne Dickison Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-Id: Date: Tue, 11 Apr 2017 12:16:19 -0500 To: freebsd-announce@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) X-Mailer: Apple Mail (2.2104) X-Mailman-Approved-At: Tue, 11 Apr 2017 18:19:27 +0000 Subject: [FreeBSD-Announce] Expo passes to join FreeBSD at OSCON17 X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2017 17:24:06 -0000 Hi everyone, The FreeBSD Foundation will be staffing a FreeBSD Booth at OSCON 2017, = taking place in Austin, TX, May 8-11, 2017. If you=E2=80=99d like to = attend the Expo, please use code OSCON17XPO to obtain a free Expo Hall = pass.=20 If you are interested in attending other parts of the conferences, we = also have also have a discount code for 20% off of your registration. Please use code USRG when registering.=20 http://oreil.ly/2m0jDru We=E2=80=99ll be at booth 109-3 and hope to see you there! Thanks Anne Anne Dickison Marketing Director FreeBSD Foundation 510.332.8323 From owner-freebsd-announce@freebsd.org Wed Apr 12 07:23:52 2017 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD7FBD3A591 for ; Wed, 12 Apr 2017 07:23:52 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 91C48DFA; Wed, 12 Apr 2017 07:23:52 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id BAB4991D; Wed, 12 Apr 2017 07:23:51 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20170412072351.BAB4991D@freefall.freebsd.org> Date: Wed, 12 Apr 2017 07:23:51 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-17:05.xen X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2017 07:23:52 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-17:05.xen Errata Notice The FreeBSD Project Topic: Xen migration enhancements Category: core Module: xen Announced: 2017-04-12 Credits: Citrix Systems R&D, Huawei Technologies Affects: All supported versions of FreeBSD. Corrected: 2017-03-21 08:38:12 UTC (stable/11, 11.0-STABLE) 2017-04-12 06:24:35 UTC (releng/11.0, 11.0-RELEASE-p9) 2017-03-29 17:11:41 UTC (stable/10, 10.3-STABLE) 2017-04-12 06:24:35 UTC (releng/10.3, 10.3-RELEASE-p18) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD when running as a Xen guest supports live-migration, that means being able to move from one physical Xen host to another without interruption of service. Due to the lack of ordering during the resume procedure devices might try to use the Xen PV timer before it's correctly resumed, leading to unexpected results. II. Problem Description There are three issues that currently prevent FreeBSD from working reliably under heavy live-migration stress: 1. FreeBSD cannot recover from a failed live migration. It is a Xen feature to fail a live migration, which means the VM will continue running on the same host. FreeBSD was not capable of coping with this situation. [This is https://reviews.freebsd.org/D9635] 2. User-space processes that make use of the xenstore device (/dev/xen/xenstore) might manage to lock-up the resume procedure, preventing the kernel from resuming correctly after a live-migration. [This is https://reviews.freebsd.org/D9638] 3. The Xen PV timer is attached to the xenpv bus on FreeBSD 11.0, and the xenpv bus itself is attached after the PCI bus and other buses. This means that the Xen PV timer is also resume quite late, and device drivers might try to use the timer before it's resumed correctly, leading to erratic behavior or lockups. III. Impact FreeBSD 10.3 and 11.0 are affected by the 1. and 2. issues when being migrated as a Xen guest. Only FreeBSD 11.0 is affected when live-migrated as a Xen guest. IV. Workaround Not attempting to use live-migration when running as a Xen guest will prevent those issues. Not having user-space processes will prevent issue 2. from happening. For issue 3, the administrator can switch to a different timer, like the TSC, if there is plan to migrate the VM: # sysctl -a | grep timecounter.choice kern.timecounter.choice: XENTIMER(950) ACPI-safe(850) i8254(0) TSC-low(-100) dummy(-1000000) # sysctl -w kern.timecounter.hardware=TSC-low V. Solution Issue 1. has been solved by adding the proper logic in FreeBSD in order to recover from failed live migrations. Issue 2. has been resolved by adding xenstore locking around the suspend procedure, in order to make sure no user-space process is holding the xenstore lock when going into suspension. Issue 3. has been solved by marking the Xen PV timer as not safe for suspension until the order issues can be solved. Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is required. 2) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is required. 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.0] # fetch https://security.FreeBSD.org/patches/EN-17:05/xen-11.0.patch # fetch https://security.FreeBSD.org/patches/EN-17:05/xen-11.0.patch.asc # gpg --verify xen-11.0.patch.asc [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/EN-17:05/xen-10.3.patch # fetch https://security.FreeBSD.org/patches/EN-17:05/xen-10.3.patch.asc # gpg --verify xen-10.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r316170 releng/10.3/ r316722 stable/11/ r315668 releng/11.0/ r316722 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.19 (FreeBSD) iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAljtyccACgkQ7Wfs1l3P aucjmxAAtLQLh+Xjlue/pTN4OQFSlfS4drkk2ufnQqJON7qe+P6MUcOJaZPb730C uFNX4XbRbUxsAx04N2LAygTungvl79LgacHAOL4UYC9z055qFISMY8/fPZN35k1G rDAJ5C0O7/YLCA7Uxcars1FfPFxNuLBK78tjvpP6PHXbI/jm6CO8NRgnlZRjRIAg 088M5Fqc4ucM6qfesG6cjpsb3QgwJz7ZP8ioLIJpdCsrmCSsW4+ceD9bfCxzIPHJ Gsb2nDw++n/QZEU0Ely6CjlNh9Y7oRDC7xcOzCyYGhUASATfqjfqSGOFUFpUD8PB IcGNXew4IxTU0hhpkKO42bdi5jORzJy4EVCHOrjPeecZ6NL5Cmj9Yvnd2SEV8ura Zm2+gpVmsL4hBTLg4cxjjGApzH11289imUfHCEhv2ehxLXEwSziDzAAcKaWdrTOU KQ3HSIaitxynWP8YhmYDgNP2599iuXSnJvUwLtYJ03zEUILV+NTvEKqTMqLzxA90 lYYjq+vsF3G+A31TWKwIWR1VU+CBec6NHvZd7nxWb236hfxHNJPrrqUDCqhOfHaG q6Lf//VPGTHAeLIQ5NPRr5/FwgsAHZCnyslg6bMQyqyql/3j/fMWKu4vOtI554mP 0GCTyEidEHxm3pXYCiv/RnTmnbiu7hQyZUFwgVISHlmnk+HWXSI= =xLET -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Wed Apr 12 07:23:59 2017 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27E4CD3A5A2 for ; Wed, 12 Apr 2017 07:23:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0AA56E17; Wed, 12 Apr 2017 07:23:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 27C1B922; Wed, 12 Apr 2017 07:23:58 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20170412072358.27C1B922@freefall.freebsd.org> Date: Wed, 12 Apr 2017 07:23:58 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-17:03.ntp X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2017 07:23:59 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-17:03.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2017-04-12 Credits: Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2017-03-28 04:48:17 UTC (stable/11, 11.0-STABLE) 2017-04-12 06:24:35 UTC (releng/11.0, 11.0-RELEASE-p9) 2017-03-28 04:48:55 UTC (stable/10, 10.3-STABLE) 2017-04-12 06:24:35 UTC (releng/10.3, 10.3-RELEASE-p18) CVE Name: CVE-2017-6464, CVE-2017-6462, CVE-2017-6463, CVE-2016-9042 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6464] A vulnerability was found in NTP, in the parsing of packets from the DPTS Clock. [CVE-2017-6462] A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6463] A vulnerability was found in NTP, affecting the origin timestamp check function. [CVE-2016-9042] III. Impact A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. [CVE-2017-6463, CVE-2017-6464] A malicious device could send crafted messages, causing ntpd to crash. [CVE-2017-6462] An attacker able to spoof messages from all of the configured peers could send crafted packets to ntpd, causing later replies from those peers to be discarded, resulting in denial of service. [CVE-2016-9042] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Network administrators are advised to implement BCP-38, which helps to reduce the risk associated with these attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.0] # fetch https://security.FreeBSD.org/patches/SA-17:03/ntp-11.0.patch.xz # fetch https://security.FreeBSD.org/patches/SA-17:03/ntp-11.0.patch.xz.asc # gpg --verify ntp-11.0.patch.xz.asc [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/SA-17:03/ntp-10.3.patch.xz # fetch https://security.FreeBSD.org/patches/SA-17:03/ntp-10.3.patch.xz.asc # gpg --verify ntp-10.3.patch.xz.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r316069 releng/10.3/ r316722 stable/11/ r316068 releng/11.0/ r316722 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.19 (FreeBSD) iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAljty+gACgkQ7Wfs1l3P audFpxAA30Po/44RV8x98fcopL+/qX0bKhs2yORCcYs/ebrPaDW6ghdqPAPyNDen qJSoEU6FFZxU508reu6mcJIze0YzSC2D4Xe+BjtVjTUhgZ1mUlfx+0Dqa6DsmyPE wreYZ0+aPJPSg82P4pOR+Oo4Omh0BHXw/Yu+uJxd+VSGAWg9zJk9QcRyy3QKsPFn YbMYjAsMk1x2i/q6GzRnoJXAFT9c1QsKRP1QU3JivDEQEYwreqKxkG7Ex9OkUOmL CIPVG19K7iddnMfiQPjhPhyAOFWrtKMm1rjcg1vSEMUQ24MtVotGOgNkKXEf0vjT eVX91sIRYGgy9utg6Mg4pnDT7m94PMh7mORgfphHg7l7LFVGYKAbHF7khIMtrs4k /ZU5i7xZqKR6xNm4oWtaBC9EipkWfjnXjBRG30t3kdD2r7ElJ+Y3mvPdalFsxd+U gP2Wgn//byToXVUGFLChR7KSWDOjUpdiGu3UUDG4LmG/U4whDsSobPgOF3SzbALF mx8f7OWkOYCnQ9WuhI3PVvCdLncjZ5UdLaQ5nP53pn3rGk9C4MJpGlTI2iS1gwFV n09mE5zXueI3jVJm+An2X2Z3C8fTCRHb7n3Sej2wnrgiXk8z/8ftX6VJcUxdgW+A OYFztl0iKgjgEXix33FZ5baivohQVhAT5rUQRQ/+gcrvL8rbJQg= =58Te -----END PGP SIGNATURE-----