From owner-freebsd-security@freebsd.org Mon May 13 09:18:54 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 728181588505 for ; Mon, 13 May 2019 09:18:54 +0000 (UTC) (envelope-from hiwk@lysator.liu.se) Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9C30B70587; Mon, 13 May 2019 09:18:53 +0000 (UTC) (envelope-from hiwk@lysator.liu.se) Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 59A2840008; Mon, 13 May 2019 11:18:49 +0200 (CEST) Received: from [10.181.0.160] (fw.tutus.se [213.115.50.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.lysator.liu.se (Postfix) with ESMTPSA id 3BAEB40007; Mon, 13 May 2019 11:18:49 +0200 (CEST) From: Joel Arbring Subject: Question about FreeBSD-SA-18:10.ip.asc patch information To: FreeBSD-security@FreeBSD.org Cc: secteam@FreeBSD.org Message-ID: <9e4f64fa-bc22-23dc-9d6f-6adec06c1e7b@lysator.liu.se> Date: Mon, 13 May 2019 11:18:48 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Mailman-Approved-At: Mon, 13 May 2019 10:55:26 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2019 09:18:54 -0000 Hi! The security advisory FreeBSD-SA-18:10.ip.asc says "Due to source code differences in FreeBSD 10-stable a patch is not yet available for FreeBSD 10.4. This will follow at a later date." I know that 10.4 is EOL now, but did that ever happen? Perhaps the advisory should be updated with either a reference to the patch, or a revised statement? Thanks in advance! [1] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:10.ip.asc From owner-freebsd-security@freebsd.org Mon May 13 15:51:45 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C47B1592F64 for ; Mon, 13 May 2019 15:51:45 +0000 (UTC) (envelope-from brett@lariat.org) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id C8DB187183 for ; Mon, 13 May 2019 15:51:42 +0000 (UTC) (envelope-from brett@lariat.org) Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id JAA27159 for ; Mon, 13 May 2019 09:51:40 -0600 (MDT) Message-Id: <201905131551.JAA27159@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 13 May 2019 09:51:29 -0600 To: FreeBSD-security@freebsd.org From: Brett Glass Subject: Re: POC and patch for the CVE-2018-15473 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: C8DB187183 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of brett@lariat.org designates 66.62.230.51 as permitted sender) smtp.mailfrom=brett@lariat.org X-Spamd-Result: default: False [0.29 / 15.00]; ARC_NA(0.00)[]; FAKE_REPLY(1.00)[]; NEURAL_HAM_MEDIUM(-0.96)[-0.956,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.56)[-0.555,0]; DMARC_NA(0.00)[lariat.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MX_GOOD(-0.01)[mail.lariat.org]; NEURAL_SPAM_SHORT(0.52)[0.522,0]; IP_SCORE(-0.01)[country: US(-0.06)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:19092, ipnet:66.62.228.0/22, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2019 15:51:45 -0000 My company has remained with FreeBSD 11 for now because we have encountered NIC driver stability problems under heavy loads with FreeBSD 12.0. As an ISP, we also endure constant brute force username and password guessing attacks, so a fix for this problem is of interest to us. Is the FreeBSD port of OpenSSH 7.8 available for FreeBSD 11-STABLE from the ports collection and as a binary package? If not, shouldn't it be? --Brett Glass >Brahmanand Reddy writes: > > regarding the CVE-2018-15473 dint find find official patch from the openssh > > on freebsd OS base. > >CVE-2018-15473 is a user existence oracle bug which does not meet our >criteria for security advisories. > >FreeBSD 12 has OpenSSH 7.8, which is patched. FreeBSD 11 has OpenSSH >7.5, which is not. > >DES >-- >Dag-Erling Smørgrav - des@FreeBSD.org >_______________________________________________ >freebsd-security@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Mon May 13 16:13:26 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 484B51593CF2 for ; Mon, 13 May 2019 16:13:26 +0000 (UTC) (envelope-from security@lordcow.org) Received: from mail.lordcow.org (lordcow.org [IPv6:2c0f:fb18:402:5::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "devaux.za.net", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B1068886E9 for ; Mon, 13 May 2019 16:13:23 +0000 (UTC) (envelope-from security@lordcow.org) Received: from lordcow.org (localhost [127.0.0.1]) by mail.lordcow.org (8.15.2/8.15.2) with ESMTPS id x4DGDHdO004197 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 May 2019 18:13:17 +0200 (SAST) (envelope-from lordcow@lordcow.org) X-Authentication-Warning: lordcow.org: Host localhost [127.0.0.1] claimed to be lordcow.org Received: (from lordcow@localhost) by lordcow.org (8.15.2/8.15.2/Submit) id x4DGDBOS003919; Mon, 13 May 2019 18:13:11 +0200 (SAST) (envelope-from lordcow) Date: Mon, 13 May 2019 18:13:11 +0200 From: Gareth de Vaux To: Brett Glass Cc: FreeBSD-security@freebsd.org Subject: Re: POC and patch for the CVE-2018-15473 Message-ID: <20190513161311.GA3080@lordcow.org> References: <201905131551.JAA27159@mail.lariat.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201905131551.JAA27159@mail.lariat.net> User-Agent: Mutt/1.11.4 (2019-03-13) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on lordcow.org X-Rspamd-Queue-Id: B1068886E9 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of security@lordcow.org designates 2c0f:fb18:402:5::2 as permitted sender) smtp.mailfrom=security@lordcow.org X-Spamd-Result: default: False [-2.18 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.95)[-0.948,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2c0f:fb18:402:5::2/64]; NEURAL_HAM_LONG(-0.99)[-0.992,0]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; DMARC_NA(0.00)[lordcow.org]; NEURAL_SPAM_SHORT(0.07)[0.074,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[mail.lordcow.org]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:37199, ipnet:2c0f:fb18::/32, country:ZA]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(-0.00)[country: ZA(-0.00)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2019 16:13:26 -0000 On Mon 2019-05-13 (09:51), Brett Glass wrote: > Is the FreeBSD port of OpenSSH 7.8 available for FreeBSD 11-STABLE > from the ports collection and as a binary package? If not, shouldn't it be? Yes, you can use the original at /usr/ports/security/openssh-portable From owner-freebsd-security@freebsd.org Mon May 13 16:32:31 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 42E651594376 for ; Mon, 13 May 2019 16:32:31 +0000 (UTC) (envelope-from brett@lariat.org) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 57D7689725 for ; Mon, 13 May 2019 16:32:30 +0000 (UTC) (envelope-from brett@lariat.org) Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id KAA27384; Mon, 13 May 2019 10:32:21 -0600 (MDT) Message-Id: <201905131632.KAA27384@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 13 May 2019 10:32:05 -0600 To: Gareth de Vaux From: Brett Glass Subject: Re: POC and patch for the CVE-2018-15473 Cc: FreeBSD-security@freebsd.org In-Reply-To: <20190513161311.GA3080@lordcow.org> References: <201905131551.JAA27159@mail.lariat.net> <20190513161311.GA3080@lordcow.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Rspamd-Queue-Id: 57D7689725 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of brett@lariat.org designates 66.62.230.51 as permitted sender) smtp.mailfrom=brett@lariat.org X-Spamd-Result: default: False [-0.61 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.90)[-0.898,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lariat.org]; NEURAL_HAM_LONG(-0.74)[-0.745,0]; NEURAL_SPAM_SHORT(0.76)[0.759,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: mail.lariat.org]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(-0.01)[country: US(-0.06)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:19092, ipnet:66.62.228.0/22, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2019 16:32:31 -0000 At 10:13 AM 5/13/2019, you wrote: >On Mon 2019-05-13 (09:51), Brett Glass wrote: > > Is the FreeBSD port of OpenSSH 7.8 available for FreeBSD 11-STABLE > > from the ports collection and as a binary package? If not, shouldn't it be? > >Yes, you can use the original at /usr/ports/security/openssh-portable On my FreeBSD 11-STABLE boxes, the "distinfo" file for the "openssh-portable" port shows the version as "openssh-7.9p1". So, this is not 7.8 (which was tested with 12.0, at least, if not 11.x) and also has not been specifically tailored for FreeBSD. Am I likely to see any issues with the use of existing configuration files, performance, or features? Just asking, as a precaution, to ensure that I do not find myself with an unreachable machine if I install on a remote server. --Brett Glass From owner-freebsd-security@freebsd.org Mon May 13 17:03:47 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3AE38159562C for ; Mon, 13 May 2019 17:03:47 +0000 (UTC) (envelope-from security@lordcow.org) Received: from mail.lordcow.org (lordcow.org [IPv6:2c0f:fb18:402:5::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "devaux.za.net", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B430D8AE57 for ; Mon, 13 May 2019 17:03:45 +0000 (UTC) (envelope-from security@lordcow.org) Received: from lordcow.org (localhost [127.0.0.1]) by mail.lordcow.org (8.15.2/8.15.2) with ESMTPS id x4DH3fGZ055187 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 May 2019 19:03:41 +0200 (SAST) (envelope-from lordcow@lordcow.org) X-Authentication-Warning: lordcow.org: Host localhost [127.0.0.1] claimed to be lordcow.org Received: (from lordcow@localhost) by lordcow.org (8.15.2/8.15.2/Submit) id x4DH3Z5p054931; Mon, 13 May 2019 19:03:35 +0200 (SAST) (envelope-from lordcow) Date: Mon, 13 May 2019 19:03:35 +0200 From: Gareth de Vaux To: Brett Glass Cc: FreeBSD-security@freebsd.org Subject: Re: POC and patch for the CVE-2018-15473 Message-ID: <20190513170335.GA12973@lordcow.org> References: <201905131551.JAA27159@mail.lariat.net> <20190513161311.GA3080@lordcow.org> <201905131632.KAA27384@mail.lariat.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201905131632.KAA27384@mail.lariat.net> User-Agent: Mutt/1.11.4 (2019-03-13) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on lordcow.org X-Rspamd-Queue-Id: B430D8AE57 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of security@lordcow.org designates 2c0f:fb18:402:5::2 as permitted sender) smtp.mailfrom=security@lordcow.org X-Spamd-Result: default: False [-2.14 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.95)[-0.948,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2c0f:fb18:402:5::2/64]; NEURAL_HAM_LONG(-0.99)[-0.992,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; HAS_XAW(0.00)[]; DMARC_NA(0.00)[lordcow.org]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.11)[0.107,0]; MX_GOOD(-0.01)[cached: mail.lordcow.org]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(-0.00)[country: ZA(-0.00)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:37199, ipnet:2c0f:fb18::/32, country:ZA]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2019 17:03:47 -0000 On Mon 2019-05-13 (10:32), Brett Glass wrote: > On my FreeBSD 11-STABLE boxes, the "distinfo" file for the > "openssh-portable" port shows the version as "openssh-7.9p1". So, > this is not 7.8 (which was tested with 12.0, at least, if not 11.x) > and also has not been specifically tailored for FreeBSD. Am I > likely to see any issues with the use of existing configuration > files, performance, or features? Just asking, as a precaution, to > ensure that I do not find myself with an unreachable machine if I > install on a remote server. I'm currently using it on 11-STABLE and prefer it for security reasons but that's a longer discussion. Average configurations shouldn't be affected but you can install and configure it on a different port (/usr/local/etc/ssh/sshd_config as opposed to /etc/ssh/sshd_config) and start it without killing the existing sshd so you won't get locked out. /etc/rc.conf: #sshd_enable="YES" openssh_enable="YES" From owner-freebsd-security@freebsd.org Mon May 13 15:48:42 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DFDB21592DB4 for ; Mon, 13 May 2019 15:48:42 +0000 (UTC) (envelope-from brett@lariat.net) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 6F07786D57; Mon, 13 May 2019 15:48:41 +0000 (UTC) (envelope-from brett@lariat.net) Received: from Toshi.lariat.net (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id JAA27049; Mon, 13 May 2019 09:40:12 -0600 (MDT) Message-Id: <201905131540.JAA27049@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 13 May 2019 09:37:49 -0600 To: Dag-Erling Smørgrav , Brahmanand Reddy From: Brett Glass Subject: Re: POC and patch for the CVE-2018-15473 Cc: FreeBSD-security@freebsd.org, openssh@openssh.com In-Reply-To: <86mukfhfb3.fsf@next.des.no> References: <86mukfhfb3.fsf@next.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 6F07786D57 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of brett@lariat.net designates 66.62.230.51 as permitted sender) smtp.mailfrom=brett@lariat.net X-Spamd-Result: default: False [0.08 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.91)[-0.909,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+a]; MV_CASE(0.50)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lariat.net]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.65)[0.648,0]; NEURAL_HAM_LONG(-0.94)[-0.936,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[mail.lariat.net,secondarymx.lariat.net]; IP_SCORE(-0.01)[country: US(-0.06)]; RCVD_NO_TLS_LAST(0.10)[]; TO_NEEDS_ENCODING(1.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:19092, ipnet:66.62.228.0/22, country:US]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[] X-Mailman-Approved-At: Mon, 13 May 2019 17:08:45 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2019 15:48:43 -0000 My company has remained with FreeBSD 11 for now because we have encountered NIC driver stability problems under heavy loads with FreeBSD 12.0. As an ISP, we also endure constant brute force username and password guessing attacks, so a fix for this problem is of interest to us. Is the FreeBSD port of OpenSSH 7.8 available for FreeBSD 11-STABLE from the ports collection? If not, shouldn't it be? --Brett Glass >Brahmanand Reddy writes: > > regarding the CVE-2018-15473 dint find find official patch from the openssh > > on freebsd OS base. > >CVE-2018-15473 is a user existence oracle bug which does not meet our >criteria for security advisories. > >FreeBSD 12 has OpenSSH 7.8, which is patched. FreeBSD 11 has OpenSSH >7.5, which is not. > >DES >-- >Dag-Erling Smørgrav - des@FreeBSD.org >_______________________________________________ >freebsd-security@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Wed May 15 00:01:10 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71194159D2F9 for ; Wed, 15 May 2019 00:01:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1200F8B441; Wed, 15 May 2019 00:01:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id EE06C1AA59; Wed, 15 May 2019 00:01:09 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:03.wpa Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515000109.EE06C1AA59@freefall.freebsd.org> Date: Wed, 15 May 2019 00:01:09 +0000 (UTC) X-Rspamd-Queue-Id: 1200F8B441 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.93 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 00:01:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:03.wpa Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in hostapd and wpa_supplicant Category: contrib Module: wpa Announced: 2019-05-14 Affects: All supported versions of FreeBSD. Corrected: 2019-05-01 01:42:38 UTC (stable/12, 12.0-STABLE) 2019-05-14 22:57:29 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-01 01:43:17 UTC (stable/11, 11.2-STABLE) 2019-05-14 22:59:32 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, CVE-2019-11555 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Wi-Fi Protected Access II (WPA2) is a security protocol developed by the Wi-Fi Alliance to secure wireless computer networks. hostapd(8) and wpa_supplicant(8) are implementations of user space daemon for access points and wireless client that implements the WPA2 protocol. II. Problem Description Multiple vulnerabilities exist in the hostapd(8) and wpa_supplicant(8) implementations. For more details, please see the reference URLs in the References section below. III. Impact Security of the wireless network may be compromised. For more details, please see the reference URLS in the References section below. IV. Workaround No workaround is available, but systems not using hostapd(8) or wpa_supplicant(8) are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, restart hostapd(8) or wpa_supplicant(8). 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, restart hostapd(8) or wpa_supplicant(8). 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch.asc # gpg --verify wpa-12.patch.asc [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch.asc # gpg --verify wpa-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r346980 releng/12.0/ r347587 stable/11/ r346981 releng/11.2/ r347588 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLsaA/9EB577JYdYdwFCOQ6TiOVhyluLJzgrhG3aiXeBntj8ytkRjcXKnP0aega 3G2R1do7pixVYUF52OWJwaNO3Hm+LHMngiOqujcLI+49ISI3T/APaU/D2dqmXVb8 nN/Pd+0HDGj3R3MwyyHT8/3fX0pJ395vcQhYb61M6PUSrwr8uiBbILT57iCadZoL F4KOCvRv7I4EFWXvqngGfeohZbbeHPBga2DwuebWR/E/1uWrMKEOF2pvh4b6ZSN2 pdr7ZHMiL1cZt+p+2gwWoqDWyD93u2lTC7Gmo3Vom+meH7eaQ79obXEN541aiQ04 CYhjkwuW5uNGUWCO/Xsfn5gqICeB1G5A/aBHQlAyVgUGia8jukL1jn3ga4AQgKrN h9aTmvrQs17PjMVtq81ZS0xm0ztW0Y6t2A9fRgGcnOOw+uy5tHMbJaKSMy8x97NT gUyXtoyu47tjjMrzsQcma2t6/+iCEDuW1P1LybSmv/v59gro9uveCdl0busgM9GS M5bpWK/qYQS1HYmYeTKMRynmD8ntRbflYoUP/SpijHsz+56rgyeJO12WyltyT32f j5fgnKaznW/UPtgmK0wnPIG9XEj3Nzs4C4cypO5t8OiuLEli4wRdb6MYlvEjq4la R3lnCzmTd9sg+K6cod2qWWSYdsdEwizcpQDp7M9lRqomiANLqJ4= =MXma -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed May 15 00:01:33 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ED036159D366 for ; Wed, 15 May 2019 00:01:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 237908B4C6; Wed, 15 May 2019 00:01:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 06CDA1AA84; Wed, 15 May 2019 00:01:32 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:04.ntp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515000132.06CDA1AA84@freefall.freebsd.org> Date: Wed, 15 May 2019 00:01:32 +0000 (UTC) X-Rspamd-Queue-Id: 237908B4C6 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.93 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 00:01:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:04.ntp Security Advisory The FreeBSD Project Topic: Authenticated denial of service in ntpd Category: contrib Module: ntp Announced: 2019-05-14 Credits: Magnus Stubman Affects: All supported versions of FreeBSD Corrected: 2019-03-07 13:45:36 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:02:56 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-07 13:45:36 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:06:26 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-8936 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. The ntpd(8) daemon uses a protocol called mode 6 to both get status information from the running ntpd(8) daemon and configure it on the fly. This protocol is typically used by the ntpq(8) program, among others. II. Problem Description A crafted malicious authenticated mode 6 packet from a permitted network address can trigger a NULL pointer dereference. Note for this attack to work, the sending system must be on an address from which the target ntpd(8) accepts mode 6 packets, and must use a private key that is specifically listed as being used for mode 6 authorization. III. Impact The ntpd daemon can crash due to the NULL pointer dereference, causing a denial of service. IV. Workaround Use 'restrict noquery' in the ntpd configuration to limit addresses that can send mode 6 queries. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, restart the ntpd service: # service ntpd restart 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch.asc # gpg --verify ntp.patch.asc [FreeBSD 11.2-RELEASE/11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch.asc # gpg --verify ntp-11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the ntpd service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r344884 releng/12.0/ r347589 stable/11/ r344884 releng/11.2/ r347590 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLGtw/8CNAYnLxARrMUK1QeC9sE7EaboYInSOgaunfK2Uw5tJk9b4GwWWjCSE0C hSWg4a9xv3pks2ppfEJzRuy0eoYmiU0MYblnAnCwCmE2d3WYlExO7hZJa1iK3uPO WvHre5q80kF8TJhS9rbph+6oyLaPun8f9PDIo4Oc2knTppNfrfzbB/HEuzP27KMp gCXD/Nk/5tHbXjkIGamWCf9wgYuw/typYRV3W6sWDuPhug2sAvWk1TMo0cMJ4BHL wL7Qh00rZ+nHWdk5GKFslga9gNjVPqD2DzRKCQO2bj4o+7ly2d+yk4jUpMKBq2r4 eQcQQnk9xj60NQ5cHGprOv6xwulBYycugF57iouNAP241cvVf+XZd4b/GthJODgz fhP0aquusmtkawida3ZWWIVCjkM5NmHQsY5VTQLvTudtemb3kdmRMy3dFDN7oyXZ PqP6JJUqamxNHilxRVytNCZLiSuy1P2MnJamyLZIqcDiT6yvMVBqwuGdQrSTSKyu g/sR+vUohuJrP2i3pCCEfGtH5Nfq6GpY6Swxec81wUoqReGVCGmSFSEaas21TFYf ZzAEAhywveGegkhqvsGP9A1zrTs6ZTCRzun32MhSo4xH/YZaArMvRa6JiSWTA1fG ctwXEwIBj0XNEWBsCPgVvaF9bglmQZ2Iqn4iOiHlRGT7KxgjT7w= =o9t5 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed May 15 00:01:41 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 235CB159D3B2 for ; Wed, 15 May 2019 00:01:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 702308B4F4; Wed, 15 May 2019 00:01:40 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 44CC51AA95; Wed, 15 May 2019 00:01:40 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:05.pf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515000140.44CC51AA95@freefall.freebsd.org> Date: Wed, 15 May 2019 00:01:40 +0000 (UTC) X-Rspamd-Queue-Id: 702308B4F4 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.93 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 00:01:41 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:05.pf Security Advisory The FreeBSD Project Topic: IPv6 fragment reassembly panic in pf(4) Category: contrib Module: pf Announced: 2019-05-14 Credits: Synacktiv Affects: All supported versions of FreeBSD Corrected: 2019-03-01 18:12:05 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:10:21 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-01 18:12:07 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:10:21 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-5597 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of from the first packet. III. Impact Malicious IPv6 packets with different IPv6 extensions could cause a kernel panic or potentially a filtering rule bypass. IV. Workaround Only systems leveraging the pf(4) firewall and include packet scrubbing using the recommended 'scrub all in' or similar are affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch # fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r344706 releng/12.0/ r347591 stable/11/ r344707 releng/11.2/ r347591 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cL1cxAAjYy90WBfuBkU/FddQWMJkXOn2YqABFxY/BfFpJEbGrnXXuxz9YJByK3b 6ikWq5HcxgL/9ek6QULwEOoNvms8tT4m4waJOLa3hZPoPlgD2ArgvdcEI00R/8T9 Z+k1YlT0oLOY4XbVynPGNmiFNTAcsg7Ognp9yam3kmPZTMGYm6cKIBy1idrzCCmI nj0SscyoL4Z09kSWe3UOitjh8cpxqGuvGosCb7YGPl6yTSalBUgP44Lyg7jS4nrZ xjZxqhAfp7tk9peF4rov8apZIsrBF5GMaahnIGIwZzmRn/E1pND9qx1lB1Uh7rfR nb8OmwbshJTWdnS1GXyLxRGJOd0zmh+YZ10ygZAQTM5sNaxfn6pWJFmr2S/mR+kN RG/Bhj+lN7jh1eUNdwk/pAm0aZZ+J8GX4/QOrqPfGDko/s/S7YwJB/DKR/14uPY7 Fwcgv4tvgoRstSKHdIe45d7/N0SgQCS/EfzVIO5XPQtkrk9/zalQubionijObr1Q ARVl7H5M7m7kP8PJz/vRNvhar0c0xTk9ov2JDxKHKTd+7D78LQEAFvEGPIFREBsY VBW8BqZbuVcsgrhr/YWFE3TEw4O0YbnY5g9wmVv+d/pdDngLuTsfbNEsAQewWcu/ dYefeBMKBukyLUKtLYHjVAhUlL3hF3j/aBu498F6LRCzFcaoIOQ= =0alQ -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed May 15 00:01:43 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 962D8159D3DC for ; Wed, 15 May 2019 00:01:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3D5428B504; Wed, 15 May 2019 00:01:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 13C981AAA0; Wed, 15 May 2019 00:01:43 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:06.pf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515000143.13C981AAA0@freefall.freebsd.org> Date: Wed, 15 May 2019 00:01:43 +0000 (UTC) X-Rspamd-Queue-Id: 3D5428B504 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.93 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 00:01:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:06.pf Security Advisory The FreeBSD Project Topic: ICMP/ICMP6 packet filter bypass in pf Category: contrib Module: pf Announced: 2019-05-14 Credits: Synacktiv Affects: All supported versions of FreeBSD Corrected: 2019-03-21 14:17:10 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:12:22 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-21 14:17:12 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:12:22 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-5598 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload matching an existing condition. pf(4) does not check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet. III. Impact A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules and be passed to a host that would otherwise be unavailable. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch # fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r345377 releng/12.0/ r347593 stable/11/ r345378 releng/11.2/ r347593 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIjXA/9FevC+Ygihzb0J9MN0znEM883dk5sPCSvMwiivsNRkDMXreYqPXU+Fkt0 iV1OZ8tKwKAihm+iGJ5mzS5l40wWF1oDcqJrC0myICdvreraoJKZvTLhgGIBqKkE b8yIuzPueWdnnudoAzTV38RhyaP2aOb44OMUNPQZsEB/6hHsNvp9m6yAua/F+x9+ N9J38Y/C6udsNfhqDeuCI4G8yiN33XfFiRbF+31rt3s0rUm6KGNsJanJe8dNAEvE DN4tA4+MORnQ7QTLgOobGuLFhWJ2urC6psH8duO72hcSTzSkTZpxrC3f6SW8RlZ+ Pbr4LZ6FA3bZp/sCmWPOot94hotBDr03MZwrxURokeDHZU1nUBsw0rmTG4aypujl JrGPOAp89TtqrR0zV8DhpGO/RWoBeMDf7ZGvIplOIEF5rijQWEyC5pnYlBKPfSdm UTxcN9RoJCfz7O4KLAAqhHiuu6xc+CqlQH1dvyLbqGVv9LzUQlziTNsbQ4cGryuj g1TztU0VfpvHDkAKBh0iHwkoUqDSut3K19rFAQ3zkM/EodqSTkE1OG77pmsjYaVq AfcnN/se8lklq0lKi3BwNvVIWTjhMAwY63otVxvVD4wrJrgQH8NKgOeYuGBreXeW Uv569bIhR0/vsyGJK/SMKxBiAGfzkE7LqDMJqdXLsompX97nOwI= =m3as -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed May 15 00:03:03 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3CCD6159D6C2 for ; Wed, 15 May 2019 00:03:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 86C0F8B729; Wed, 15 May 2019 00:03:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 4BFF51AB7B; Wed, 15 May 2019 00:03:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:07.mds Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515000302.4BFF51AB7B@freefall.freebsd.org> Date: Wed, 15 May 2019 00:03:02 +0000 (UTC) X-Rspamd-Queue-Id: 86C0F8B729 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.93 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 00:03:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:07.mds Security Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits: Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects: All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf' # shutdown V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14. If using the package or port the microcode update can be applied at boot time by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" Microcode updates can also be applied while the system is running. See cpucontrol(8) for details. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in . Mitigation Configuration Systems with users, processes, or virtual machines in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf To activate the MDS mitigation set the hw.mds_disable sysctl. The settings are: 0 - mitigation disabled 1 - VERW instruction (microcode) mitigation enabled 2 - Software sequence mitigation enabled (not recommended) 3 - Automatic VERW or Software selection Automatic mode uses the VERW instruction if supported by the CPU / microcode, or software sequences if not. To enable automatic mode at boot: # echo hw.mds_disable=3 >> /etc/sysctl.conf Reboot the system: # shutdown -r +10min "Security update" Check the mitigation status: # sysctl hw.mds_disable_state hw.mds_disable_state: software Silvermont VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r347567 releng/12.0/ r346594 stable/11/ r347568 releng/11.2/ r347595 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTspfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKcyA//ZlJa5eoNt0L2pcWAjukf1X+/iTjHv/t3wWclEfuPv2S9lO5SDlwxUV5x woGkxcIj7Tp51HJZRBjn62x/cwd6CjbpxsYPUvRs1Nkruj82/p6Yj5nSYrDCqqj1 k84hyCj0Y6V2NwbBEPTNXqqPbOmid0R3GrQJk1JXZ1zTf8VHGxrquXp1xP7PIPSX GWYup0k4edMCY2mbBb8QQQmQSg6S2k6eZnvF9AZUga5pM7FGYLo0rPHNVHx+te83 THvmnrJXnCR5AEjqmsubxwF/p+HneJke7HJxj1GjokzFgzTz3C9X3vUWHedwlVoD BzeqSgWD0icgJMYl8xGabeRzXj49tIzrC+twdXMtTLiDIKGxaRxqGVTMHYHgh44h GilgZ60X4m8e4Nuzf8xcQ1X2/QLvfWwZR+zUzQwOiKVoNp7nPJ5m8nr1s9anqDdl n1fJw3tqw+8ant58k71IKD5lCV0KhJXgD/Kd3TZWu9a4mnMlvuJWYbEKEvxSlvTh ghORCSg+OBEgN//t9a/3UaAOzqKijkN6Iau1JpMrFNtBOXgOO17B1jQGz1R2VKKb mu5gotDQqkdQocN+94sB8T3fouSa6ub2cUox34+DngqxuFeMv6Ffg1o/Z4C0mRUu bVdzPrsUai/Z7O/kBpUF6ddsBGsDXWElfo9flfbJonLcYndWyWc= =QUYl -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed May 15 03:07:41 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 624B315A6601 for ; Wed, 15 May 2019 03:07:41 +0000 (UTC) (envelope-from 361163@163.com) Received: from proxy22674.mail.163.com (proxy22674.mail.163.com [113.108.226.74]) by mx1.freebsd.org (Postfix) with ESMTP id 8F54D6DB8C for ; Wed, 15 May 2019 03:07:38 +0000 (UTC) (envelope-from 361163@163.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=Date:From:Subject:MIME-Version:Message-ID; bh=H+uYe JMnD3xGL/Wf3+ubOlK7UJYnAgoKgzStte/Um9Y=; b=GCGHnIgGZieeiWTdjVwth DSwvzlt7MJ+uQ5lFQlRax5DkcG6HE0dp3gp+iQg7qxpyFBS04x3RUqvXeLk/MOeB B0Reoues91gywihbR0h3/S/tlcHmPxOJdKhh/yaLdh0xeuGOIWV7sMMeAkv3Y8du 0FDl70MRayjXnb9BlLkJzA= Received: from 361163$163.com ( [124.64.17.157] ) by ajax-webmail-wmsvr105 (Coremail) ; Wed, 15 May 2019 10:36:55 +0800 (GMT+08:00) X-Originating-IP: [124.64.17.157] Date: Wed, 15 May 2019 10:36:55 +0800 (GMT+08:00) From: 361163 <361163@163.com> To: freebsd-security Subject: Re: FreeBSD Security Advisory FreeBSD-SA-19: 07.mds X-Priority: 3 X-Mailer: Coremail Webmail Server Version SP_ntes V3.5 build 20180820(5a019900) Copyright (c) 2002-2019 www.mailtech.cn 163com In-Reply-To: <20190515000302.4BFF51AB7B@freefall.freebsd.org> References: <20190515000302.4BFF51AB7B@freefall.freebsd.org> MIME-Version: 1.0 Message-ID: <39f66405.9747.16ab9598fe6.Coremail.361163@163.com> X-Coremail-Locale: zh_CN X-CM-TRANSID: acGowADn9plHe9tcAO0bAA--.62122W X-CM-SenderInfo: itwrilqt6rljoofrz/1tbiPhe1I1xBbQahlAABs9 X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU== X-Rspamd-Queue-Id: 8F54D6DB8C X-Spamd-Bar: ++++++++++ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=163.com header.s=s110527 header.b=GCGHnIgG; dmarc=pass (policy=none) header.from=163.com; spf=pass (mx1.freebsd.org: domain of 361163@163.com designates 113.108.226.74 as permitted sender) smtp.mailfrom=361163@163.com X-Spamd-Result: default: False [10.06 / 15.00]; HAS_XOIP(0.00)[]; FREEMAIL_FROM(0.00)[163.com]; R_SPF_ALLOW(-0.20)[+ip4:113.108.226.64/26]; ZERO_FONT(0.10)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[163.com:+]; DMARC_POLICY_ALLOW(-0.50)[163.com,none]; MIME_BASE64_TEXT(0.10)[]; HAS_X_PRIO_THREE(0.00)[3]; MX_GOOD(-0.01)[cached: 163mx00.mxmail.netease.com]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[163.com]; ASN(0.00)[asn:58466, ipnet:113.108.224.0/20, country:CN]; IP_SCORE(1.74)[ip: (4.20), ipnet: 113.108.224.0/20(2.10), asn: 58466(2.38), country: CN(0.02)]; DWL_DNSWL_NONE(0.00)[163.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[163.com:s=s110527]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.98)[0.984,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; NEURAL_SPAM_MEDIUM(0.99)[0.994,0]; RCPT_COUNT_ONE(0.00)[1]; MANY_INVISIBLE_PARTS(0.05)[1]; NEURAL_SPAM_LONG(1.00)[1.000,0]; MID_CONTAINS_FROM(1.00)[]; R_SUSPICIOUS_URL(5.00)[maas.mail.163.com,mail-online.nosdn.127.net]; RCVD_COUNT_TWO(0.00)[2]; GREYLIST(0.00)[pass,body] X-Spam: Yes Content-Type: text/plain; charset=GBK Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 03:07:41 -0000 ZnJlZWJzZC1zZWN1cml0eS11bnN1YnNjcmliZUBmcmVlYnNkLm9yZwoKCgoKfCB8CjM2MTE2MwrT ys/ko7ozNjExNjNAMTYzLmNvbQp8CgpTaWduYXR1cmUgaXMgY3VzdG9taXplZCBieSBOZXRlYXNl IE1haWwgTWFzdGVyCgpPbiAwNS8xNS8yMDE5IDA4OjAzLCBGcmVlQlNEIFNlY3VyaXR5IEFkdmlz b3JpZXMgd3JvdGU6Ci0tLS0tQkVHSU4gUEdQIFNJR05FRCBNRVNTQUdFLS0tLS0KSGFzaDogU0hB NTEyCgo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQpGcmVlQlNELVNBLTE5OjA3Lm1kcyAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTZWN1cml0eSBBZHZpc29yeQogICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUaGUgRnJlZUJT RCBQcm9qZWN0CgpUb3BpYzogICAgICAgICAgTWljcm9hcmNoaXRlY3R1cmFsIERhdGEgU2FtcGxp bmcgKE1EUykKCkNhdGVnb3J5OiAgICAgICBjb3JlCk1vZHVsZTogICAgICAgICBrZXJuZWwKQW5u b3VuY2VkOiAgICAgIDIwMTktMDUtMTQKQ3JlZGl0czogICAgICAgIFJlZmVyIHRvIEludGVsJ3Mg c2VjdXJpdHkgYWR2aXNvcnkgYXQgdGhlIFVSTCBiZWxvdyBmb3IKICAgICAgICAgICAgICAgZGV0 YWlsZWQgYWNrbm93bGVkZ2VtZW50cy4KQWZmZWN0czogICAgICAgIEFsbCBzdXBwb3J0ZWQgdmVy c2lvbnMgb2YgRnJlZUJTRC4KQ29ycmVjdGVkOiAgICAgIDIwMTktMDUtMTQgMTc6MDQ6MDAgVVRD IChzdGFibGUvMTIsIDEyLjAtU1RBQkxFKQogICAgICAgICAgICAgICAyMDE5LTA1LTE0IDIzOjE5 OjA4IFVUQyAocmVsZW5nLzEyLjAsIDEyLjAtUkVMRUFTRS1wNCkKICAgICAgICAgICAgICAgMjAx OS0wNS0xNCAxNzowNTowMiBVVEMgKHN0YWJsZS8xMSwgMTEuMy1QUkVSRUxFQVNFKQogICAgICAg ICAgICAgICAyMDE5LTA1LTE0IDIzOjIwOjE2IFVUQyAocmVsZW5nLzExLjIsIDExLjItUkVMRUFT RS1wMTApCkNWRSBOYW1lOiAgICAgICBDVkUtMjAxOC0xMjEyNiwgQ1ZFLTIwMTgtMTIxMjcsIENW RS0yMDE4LTEyMTMwLAogICAgICAgQ1ZFLTIwMTktMTEwOTEKCkZvciBnZW5lcmFsIGluZm9ybWF0 aW9uIHJlZ2FyZGluZyBGcmVlQlNEIFNlY3VyaXR5IEFkdmlzb3JpZXMsCmluY2x1ZGluZyBkZXNj cmlwdGlvbnMgb2YgdGhlIGZpZWxkcyBhYm92ZSwgc2VjdXJpdHkgYnJhbmNoZXMsIGFuZCB0aGUK Zm9sbG93aW5nIHNlY3Rpb25zLCBwbGVhc2UgdmlzaXQgPFVSTDpodHRwczovL3NlY3VyaXR5LkZy ZWVCU0Qub3JnLz4uCgpJLiAgIEJhY2tncm91bmQKCk1vZGVybiBwcm9jZXNzb3JzIG1ha2UgdXNl IG9mIHNwZWN1bGF0aXZlIGV4ZWN1dGlvbiwgYW4gb3B0aW1pemF0aW9uCnRlY2huaXF1ZSB3aGlj aCBwZXJmb3JtcyBzb21lIGFjdGlvbiBpbiBhZHZhbmNlIG9mIGtub3dpbmcgd2hldGhlciB0aGUK cmVzdWx0IHdpbGwgYWN0dWFsbHkgYmUgdXNlZC4KCklJLiAgUHJvYmxlbSBEZXNjcmlwdGlvbgoK T24gc29tZSBJbnRlbCBwcm9jZXNzb3JzIHV0aWxpemluZyBzcGVjdWxhdGl2ZSBleGVjdXRpb24g YSBsb2NhbCBwcm9jZXNzIG1heQpiZSBhYmxlIHRvIGluZmVyIHN0YWxlIGluZm9ybWF0aW9uIGZy b20gbWljcm9hcmNoaXRlY3R1cmFsIGJ1ZmZlcnMgdG8gb2J0YWluCmEgbWVtb3J5IGRpc2Nsb3N1 cmUuCgpJSUkuIEltcGFjdAoKQW4gYXR0YWNrZXIgbWF5IGJlIGFibGUgdG8gcmVhZCBzZWNyZXQg ZGF0YSBmcm9tIHRoZSBrZXJuZWwgb3IgZnJvbSBhCnByb2Nlc3Mgd2hlbiBleGVjdXRpbmcgdW50 cnVzdGVkIGNvZGUgKGZvciBleGFtcGxlLCBpbiBhIHdlYiBicm93c2VyKS4KCklWLiAgV29ya2Fy b3VuZAoKTm8gd29ya2Fyb3VuZCBpcyBhdmFpbGFibGUuCgpTeXN0ZW1zIHdpdGggdXNlcnMgb3Ig cHJvY2Vzc29ycyBpbiBkaWZmZXJlbnQgdHJ1c3QgZG9tYWlucyBzaG91bGQgZGlzYWJsZQpIeXBl ci1UaHJlYWRpbmcgYnkgc2V0dGluZyB0aGUgbWFjaGRlcC5oeXBlcnRocmVhZGluZ19hbGxvd2Vk IHR1bmFibGUgdG8gMDoKCiMgZWNobyAnbWFjaGRlcC5oeXBlcnRocmVhZGluZ19hbGxvd2VkPTAg Pj4gL2Jvb3QvbG9hZGVyLmNvbmYnCiMgc2h1dGRvd24KClYuICAgU29sdXRpb24KClBlcmZvcm0g b25lIG9mIHRoZSBmb2xsb3dpbmc6CgpVcGRhdGUgQ1BVIG1pY3JvY29kZSwgdXBncmFkZSB5b3Vy IHZ1bG5lcmFibGUgc3lzdGVtIHRvIGEgc3VwcG9ydGVkIEZyZWVCU0QKc3RhYmxlIG9yIHJlbGVh c2UgLyBzZWN1cml0eSBicmFuY2ggKHJlbGVuZykgZGF0ZWQgYWZ0ZXIgdGhlIGNvcnJlY3Rpb24g ZGF0ZSwKZXZhbHVhdGUgbWl0aWdhdGlvbiBhbmQgSHlwZXIgVGhyZWFkaW5nIGNvbnRyb2xzLCBh bmQgcmVib290IHRoZSBzeXN0ZW0uCgpOZXcgQ1BVIG1pY3JvY29kZSBtYXkgYmUgYXZhaWxhYmxl IGluIGEgQklPUyB1cGRhdGUgZnJvbSB5b3VyIHN5c3RlbSB2ZW5kb3IsCm9yIGJ5IGluc3RhbGxp bmcgdGhlIGRldmNwdS1kYXRhIHBhY2thZ2Ugb3Igc3lzdXRpbHMvZGV2Y3B1LWRhdGEgcG9ydC4K RW5zdXJlIHRoYXQgdGhlIEJJT1MgdXBkYXRlIG9yIGRldmNwdS1kYXRhIHBhY2thZ2UgaXMgZGF0 ZWQgYWZ0ZXIgMjAxNC0wNS0xNC4KCklmIHVzaW5nIHRoZSBwYWNrYWdlIG9yIHBvcnQgdGhlIG1p Y3JvY29kZSB1cGRhdGUgY2FuIGJlIGFwcGxpZWQgYXQgYm9vdCB0aW1lCmJ5IGFkZGluZyB0aGUg Zm9sbG93aW5nIGxpbmVzIHRvIHRoZSBzeXN0ZW0ncyAvYm9vdC9sb2FkZXIuY29uZjoKCmNwdV9t aWNyb2NvZGVfbG9hZD0iWUVTIgpjcHVfbWljcm9jb2RlX25hbWU9Ii9ib290L2Zpcm13YXJlL2lu dGVsLXVjb2RlLmJpbiIKCk1pY3JvY29kZSB1cGRhdGVzIGNhbiBhbHNvIGJlIGFwcGxpZWQgd2hp bGUgdGhlIHN5c3RlbSBpcyBydW5uaW5nLiAgU2VlCmNwdWNvbnRyb2woOCkgZm9yIGRldGFpbHMu CgoxKSBUbyB1cGRhdGUgeW91ciB2dWxuZXJhYmxlIHN5c3RlbSB2aWEgYSBiaW5hcnkgcGF0Y2g6 CgpTeXN0ZW1zIHJ1bm5pbmcgYSBSRUxFQVNFIHZlcnNpb24gb2YgRnJlZUJTRCBvbiB0aGUgaTM4 NiBvciBhbWQ2NApwbGF0Zm9ybXMgY2FuIGJlIHVwZGF0ZWQgdmlhIHRoZSBmcmVlYnNkLXVwZGF0 ZSg4KSB1dGlsaXR5OgoKIyBmcmVlYnNkLXVwZGF0ZSBmZXRjaAojIGZyZWVic2QtdXBkYXRlIGlu c3RhbGwKCkZvbGxvdyBhZGRpdGlvbmFsIGRldGFpbHMgdW5kZXIgIk1pdGlnYXRpb24gQ29uZmln dXJhdGlvbiIgYmVsb3cuCgoyKSBUbyB1cGRhdGUgeW91ciB2dWxuZXJhYmxlIHN5c3RlbSB2aWEg YSBzb3VyY2UgY29kZSBwYXRjaDoKClRoZSBmb2xsb3dpbmcgcGF0Y2hlcyBoYXZlIGJlZW4gdmVy aWZpZWQgdG8gYXBwbHkgdG8gdGhlIGFwcGxpY2FibGUKRnJlZUJTRCByZWxlYXNlIGJyYW5jaGVz LgoKYSkgRG93bmxvYWQgdGhlIHJlbGV2YW50IHBhdGNoIGZyb20gdGhlIGxvY2F0aW9uIGJlbG93 LCBhbmQgdmVyaWZ5IHRoZQpkZXRhY2hlZCBQR1Agc2lnbmF0dXJlIHVzaW5nIHlvdXIgUEdQIHV0 aWxpdHkuCgpbRnJlZUJTRCAxMi4wLVNUQUJMRV0KIyBmZXRjaCBodHRwczovL3NlY3VyaXR5LkZy ZWVCU0Qub3JnL3BhdGNoZXMvU0EtMTk6MDcvbWRzLjEyLXN0YWJsZS5wYXRjaAojIGZldGNoIGh0 dHBzOi8vc2VjdXJpdHkuRnJlZUJTRC5vcmcvcGF0Y2hlcy9TQS0xOTowNy9tZHMuMTItc3RhYmxl LnBhdGNoLmFzYwojIGdwZyAtLXZlcmlmeSBtZHMuMTItc3RhYmxlLnBhdGNoLmFzYwoKW0ZyZWVC U0QgMTIuMC1SRUxFQVNFXQojIGZldGNoIGh0dHBzOi8vc2VjdXJpdHkuRnJlZUJTRC5vcmcvcGF0 Y2hlcy9TQS0xOTowNy9tZHMuMTIuMC5wYXRjaAojIGZldGNoIGh0dHBzOi8vc2VjdXJpdHkuRnJl ZUJTRC5vcmcvcGF0Y2hlcy9TQS0xOTowNy9tZHMuMTIuMC5wYXRjaC5hc2MKIyBncGcgLS12ZXJp ZnkgbWRzLjEyLjAucGF0Y2guYXNjCgpbRnJlZUJTRCAxMS4zLVBSRVJFTEVBU0VdCiMgZmV0Y2gg aHR0cHM6Ly9zZWN1cml0eS5GcmVlQlNELm9yZy9wYXRjaGVzL1NBLTE5OjA3L21kcy4xMS1zdGFi bGUucGF0Y2gKIyBmZXRjaCBodHRwczovL3NlY3VyaXR5LkZyZWVCU0Qub3JnL3BhdGNoZXMvU0Et MTk6MDcvbWRzLjExLXN0YWJsZS5wYXRjaC5hc2MKIyBncGcgLS12ZXJpZnkgbWRzLjExLXN0YWJs ZS5wYXRjaC5hc2MKCltGcmVlQlNEIDExLjItUkVMRUFTRV0KIyBmZXRjaCBodHRwczovL3NlY3Vy aXR5LkZyZWVCU0Qub3JnL3BhdGNoZXMvU0EtMTk6MDcvbWRzLjExLjIucGF0Y2gKIyBmZXRjaCBo dHRwczovL3NlY3VyaXR5LkZyZWVCU0Qub3JnL3BhdGNoZXMvU0EtMTk6MDcvbWRzLjExLjIucGF0 Y2guYXNjCiMgZ3BnIC0tdmVyaWZ5IG1kcy4xMS4yLnBhdGNoLmFzYwoKYikgQXBwbHkgdGhlIHBh dGNoLiAgRXhlY3V0ZSB0aGUgZm9sbG93aW5nIGNvbW1hbmRzIGFzIHJvb3Q6CgojIGNkIC91c3Iv c3JjCiMgcGF0Y2ggPCAvcGF0aC90by9wYXRjaAoKYykgUmVjb21waWxlIHlvdXIga2VybmVsIGFz IGRlc2NyaWJlZCBpbgo8VVJMOmh0dHBzOi8vd3d3LkZyZWVCU0Qub3JnL2hhbmRib29rL2tlcm5l bGNvbmZpZy5odG1sPi4KCk1pdGlnYXRpb24gQ29uZmlndXJhdGlvbgoKU3lzdGVtcyB3aXRoIHVz ZXJzLCBwcm9jZXNzZXMsIG9yIHZpcnR1YWwgbWFjaGluZXMgaW4gZGlmZmVyZW50IHRydXN0CmRv bWFpbnMgc2hvdWxkIGRpc2FibGUgSHlwZXItVGhyZWFkaW5nIGJ5IHNldHRpbmcgdGhlCm1hY2hk ZXAuaHlwZXJ0aHJlYWRpbmdfYWxsb3dlZCB0dW5hYmxlIHRvIDA6CgojIGVjaG8gbWFjaGRlcC5o eXBlcnRocmVhZGluZ19hbGxvd2VkPTAgPj4gL2Jvb3QvbG9hZGVyLmNvbmYKClRvIGFjdGl2YXRl IHRoZSBNRFMgbWl0aWdhdGlvbiBzZXQgdGhlIGh3Lm1kc19kaXNhYmxlIHN5c2N0bC4gIFRoZSBz ZXR0aW5ncwphcmU6CgowIC0gbWl0aWdhdGlvbiBkaXNhYmxlZAoxIC0gVkVSVyBpbnN0cnVjdGlv biAobWljcm9jb2RlKSBtaXRpZ2F0aW9uIGVuYWJsZWQKMiAtIFNvZnR3YXJlIHNlcXVlbmNlIG1p dGlnYXRpb24gZW5hYmxlZCAobm90IHJlY29tbWVuZGVkKQozIC0gQXV0b21hdGljIFZFUlcgb3Ig U29mdHdhcmUgc2VsZWN0aW9uCgpBdXRvbWF0aWMgbW9kZSB1c2VzIHRoZSBWRVJXIGluc3RydWN0 aW9uIGlmIHN1cHBvcnRlZCBieSB0aGUgQ1BVIC8gbWljcm9jb2RlLApvciBzb2Z0d2FyZSBzZXF1 ZW5jZXMgaWYgbm90LiAgVG8gZW5hYmxlIGF1dG9tYXRpYyBtb2RlIGF0IGJvb3Q6CgojIGVjaG8g aHcubWRzX2Rpc2FibGU9MyA+PiAvZXRjL3N5c2N0bC5jb25mCgpSZWJvb3QgdGhlIHN5c3RlbToK CiMgc2h1dGRvd24gLXIgKzEwbWluICJTZWN1cml0eSB1cGRhdGUiCgpDaGVjayB0aGUgbWl0aWdh dGlvbiBzdGF0dXM6CgojIHN5c2N0bCBody5tZHNfZGlzYWJsZV9zdGF0ZQpody5tZHNfZGlzYWJs ZV9zdGF0ZTogc29mdHdhcmUgU2lsdmVybW9udAoKVkkuICBDb3JyZWN0aW9uIGRldGFpbHMKClRo ZSBmb2xsb3dpbmcgbGlzdCBjb250YWlucyB0aGUgY29ycmVjdGlvbiByZXZpc2lvbiBudW1iZXJz IGZvciBlYWNoCmFmZmVjdGVkIGJyYW5jaC4KCkJyYW5jaC9wYXRoICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmV2aXNpb24KLSAtLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tCnN0YWJsZS8xMi8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIHIzNDc1NjcKcmVsZW5nLzEyLjAvICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcjM0NjU5NApzdGFibGUvMTEvICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByMzQ3NTY4 CnJlbGVuZy8xMS4yLyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIHIzNDc1OTUKLSAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgpUbyBzZWUgd2hpY2ggZmlsZXMg d2VyZSBtb2RpZmllZCBieSBhIHBhcnRpY3VsYXIgcmV2aXNpb24sIHJ1biB0aGUKZm9sbG93aW5n IGNvbW1hbmQsIHJlcGxhY2luZyBOTk5OTk4gd2l0aCB0aGUgcmV2aXNpb24gbnVtYmVyLCBvbiBh Cm1hY2hpbmUgd2l0aCBTdWJ2ZXJzaW9uIGluc3RhbGxlZDoKCiMgc3ZuIGRpZmYgLWNOTk5OTk4g LS1zdW1tYXJpemUgc3ZuOi8vc3ZuLmZyZWVic2Qub3JnL2Jhc2UKCk9yIHZpc2l0IHRoZSBmb2xs b3dpbmcgVVJMLCByZXBsYWNpbmcgTk5OTk5OIHdpdGggdGhlIHJldmlzaW9uIG51bWJlcjoKCjxV Ukw6aHR0cHM6Ly9zdm53ZWIuZnJlZWJzZC5vcmcvYmFzZT92aWV3PXJldmlzaW9uJnJldmlzaW9u PU5OTk5OTj4KClZJSS4gUmVmZXJlbmNlcwoKPFVSTDpodHRwczovL3d3dy5pbnRlbC5jb20vY29u dGVudC93d3cvdXMvZW4vc2VjdXJpdHktY2VudGVyL2Fkdmlzb3J5L2ludGVsLXNhLTAwMjMzLmh0 bWw+CjxVUkw6aHR0cHM6Ly93d3cuaW50ZWwuY29tL2NvbnRlbnQvd3d3L3VzL2VuL2FyY2hpdGVj dHVyZS1hbmQtdGVjaG5vbG9neS9tZHMuaHRtbD4KClRoZSBsYXRlc3QgcmV2aXNpb24gb2YgdGhp cyBhZHZpc29yeSBpcyBhdmFpbGFibGUgYXQKPFVSTDpodHRwczovL3NlY3VyaXR5LkZyZWVCU0Qu b3JnL2Fkdmlzb3JpZXMvRnJlZUJTRC1TQS0xOTowNy5tZHMuYXNjPgotLS0tLUJFR0lOIFBHUCBT SUdOQVRVUkUtLS0tLQoKaVFLVEJBRUJDZ0I5RmlFRS9BNkhpdVd2NTRnQ2pXTlYwNWVTOUo2bjVj SUZBbHpiVHNwZkZJQUFBQUFBTGdBbwphWE56ZFdWeUxXWndja0J1YjNSaGRHbHZibk11YjNCbGJu Qm5jQzVtYVdaMGFHaHZjbk5sYldGdUxtNWxkRVpECk1FVTROemhCUlRWQlJrVTNPRGd3TWpoRU5q TTFOVVF6T1RjNU1rWTBPVVZCTjBVMVF6SUFDZ2tRMDVlUzlKNm4KNWNLY3lBLy9abEphNWVvTnQw TDJwY1dBanVrZjFYKy9pVGpIdi90M3dXY2xFZnVQdjJTOWxPNVNEbHd4VVY1eAp3b0dreGNJajdU cDUxSEpaUkJqbjYyeC9jd2Q2Q2picHhzWVBVdlJzMU5rcnVqODIvcDZZajVuU1lyRENxcWoxCms4 NGh5Q2owWTZWMk53YkJFUFROWHFxUGJPbWlkMFIzR3JRSmsxSlhaMXpUZjhWSEd4cnF1WHAxeFA3 UElQU1gKR1dZdXAwazRlZE1DWTJtYkJiOFFRUW1RU2c2UzJrNmVabnZGOUFaVWdhNXBNN0ZHWUxv MHJQSE5WSHgrdGU4MwpUSHZtbnJKWG5DUjVBRWpxbXN1Ynh3Ri9wK0huZUprZTdISnhqMUdqb2t6 Rmd6VHozQzlYM3ZVV0hlZHdsVm9ECkJ6ZXFTZ1dEMGljZ0pNWWw4eEdhYmVSelhqNDl0SXpyQyt0 d2RYTXRUTGlESUtHeGFSeHFHVlRNSFlIZ2g0NGgKR2lsZ1o2MFg0bThlNE51emY4eGNRMVgyL1FM dmZXd1pSK3pVelF3T2lLVm9OcDduUEo1bThucjFzOWFucURkbApuMWZKdzN0cXcrOGFudDU4azcx SUtENWxDVjBLaEpYZ0QvS2QzVFpXdTlhNG1uTWx2dUpXWWJFS0V2eFNsdlRoCmdoT1JDU2crT0JF Z04vL3Q5YS8zVWFBT3pxS2lqa042SWF1MUpwTXJGTnRCT1hnT08xN0IxalFHejFSMlZLS2IKbXU1 Z290RFFxa2RRb2NOKzk0c0I4VDNmb3VTYTZ1YjJjVW94MzQrRG5ncXh1RmVNdjZGZmcxby9aNEMw bVJVdQpiVmR6UHJzVWFpL1o3Ty9rQnBVRjZkZHNCR3NEWFdFbGZvOWZsZmJKb25MY1luZFd5V2M9 Cj1RVVlsCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXwpmcmVlYnNkLXNlY3VyaXR5QGZyZWVic2Qub3JnIG1h aWxpbmcgbGlzdApodHRwczovL2xpc3RzLmZyZWVic2Qub3JnL21haWxtYW4vbGlzdGluZm8vZnJl ZWJzZC1zZWN1cml0eQpUbyB1bnN1YnNjcmliZSwgc2VuZCBhbnkgbWFpbCB0byAiZnJlZWJzZC1z ZWN1cml0eS11bnN1YnNjcmliZUBmcmVlYnNkLm9yZyIK From owner-freebsd-security@freebsd.org Wed May 15 07:24:56 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5611815AD726; Wed, 15 May 2019 07:24:56 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-it1-x143.google.com (mail-it1-x143.google.com [IPv6:2607:f8b0:4864:20::143]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5EF3576ECB; Wed, 15 May 2019 07:24:55 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-it1-x143.google.com with SMTP id i10so3262782ite.0; Wed, 15 May 2019 00:24:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=ff2vnuTJ8mVasrGzW/jV7iv0+IfZqncyo3mRVX58xZc=; b=K0iZt629PfrbftqB4vzxsIC9/G/rg/WToYNXLtuGd5ai1rtt8/CsmzDM5L33WT9xdR EZYcceq2f9hEHj918HovmFuaolzmB56guQJ/1pWinFW8npoilPVxEnh7loDriUbWm7kB 8IS/lD3GhoPF+VWSv9yvs+Sl5c7aI7n3KLeOanbqTUFLI+hVP8ODTxYiLhPOGujp9ZzR n+X8stC2lcT5GpYeaOFtslf/T3vSMz3gBEtubJf65XCE6yQhzI9K4fjFiBxS6c3YWdyu MSFE98GuXo9rKfAspF3zHyrfVw/TVsNHhS9OMfr/ytxM4SrzgaLFrJooSbrqsYK3R/8Q s6Lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=ff2vnuTJ8mVasrGzW/jV7iv0+IfZqncyo3mRVX58xZc=; b=h6Vl/bpjEsrBGdOZHQMtmVykqeQRyw8C+h1ES6N1Ljala06do2WACnUoBWsCirESbo 5lvoAtgBoD4IwkdbrKJ2ueo5/JV/qAsUJgcXmxzDemezL2xLsmu1yE7aoSHzNm+Iz2pH eTW1QfCUUBzBRMRDxT23fzxx9vO0x+W37ZlOoYPyQqzSi30dD68enpz/tyH+VjbN84kB p27hxJWf6YzA8YpX6vrlhljEfYEk2USugcpEkXMYF4UzUkhC/eQ1ou+/ErR0bJkGjXTc Ok4nKKjq3EBPZ70mPrh0HVazztUYnHd7XzV2L+3cfCRZIDz3UxDwWOXV7Sl6muCY3ikR Ly3A== X-Gm-Message-State: APjAAAXZUMZRWy0PQmwXWQqcWu3EopUIKqul4pp9Cp/vdOGQr0l1WfzB k0jAMYuJ4AyAWWXOVfdJSNTaFchvrf+YFpZSwmxmhna3 X-Google-Smtp-Source: APXvYqw/oLTRcXUXBaEuDzhRcZ+oSHCd+iy8GAO1fKmdLOielmzktjf+ZVECCUNAnncsgjjPmSuoOmBISZs+8jPwhjo= X-Received: by 2002:a24:ac11:: with SMTP id s17mr6412332ite.132.1557905094444; Wed, 15 May 2019 00:24:54 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:a619:0:0:0:0:0 with HTTP; Wed, 15 May 2019 00:24:54 -0700 (PDT) From: grarpamp Date: Wed, 15 May 2019 03:24:54 -0400 Message-ID: Subject: ZombieLoad Attack: Intel Exploits You... Again! To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 5EF3576ECB X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=K0iZt629; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::143 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-0.06 / 15.00]; R_SPF_ALLOW(0.00)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; URIBL_RED(3.50)[zombieloadattack.com.multi.uribl.com]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(0.00)[gmail.com,none]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; SUBJECT_ENDS_EXCLAIM(0.00)[]; NEURAL_HAM_SHORT(-0.89)[-0.892,0]; HAS_ANON_DOMAIN(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-0.79)[ip: (1.64), ipnet: 2607:f8b0::/32(-3.26), asn: 15169(-2.27), country: US(-0.06)]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.987,0]; R_DKIM_ALLOW(0.00)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.986,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; BAD_REP_POLICIES(0.10)[]; RCVD_IN_DNSWL_NONE(0.00)[3.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0] X-Mailman-Approved-At: Wed, 15 May 2019 10:39:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 07:24:56 -0000 https://zombieloadattack.com/ https://zombieloadattack.com/zombieload.pdf https://www.cyberus-technology.de/posts/2019-05-14-zombieload.html https://github.com/IAIK/ZombieLoad https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130 https://www.youtube.com/watch?v=wQvgyChrk_g FreeBSD people... See linux patches in and update your microcode, ports, etc. ZombieLoad Attack Watch out! Your processor resurrects your private browsing-history and other sensitive data. After Meltdown, Spectre, and Foreshadow, we discovered more critical vulnerabilities in modern processors. The ZombieLoad attack allows stealing sensitive data and keys while the computer accesses them. While programs normally only see their own data, a malicious program can exploit the fill buffers to get hold of secrets currently processed by other running programs. These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys. The attack does not only work on personal computers but can also be exploited in the cloud. We verified the ZombieLoad attack on Intel processor generations released from 2011 onwards. ZombieLoad in Action In our demo, we show how an attacker can monitor the websites the victim is visiting despite using the privacy-protecting Tor browser in a virtual machine. From owner-freebsd-security@freebsd.org Wed May 15 10:59:01 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A3BF7158D3A7 for ; Wed, 15 May 2019 10:59:01 +0000 (UTC) (envelope-from roam@ringlet.net) Received: from nimbus.fccf.net (nimbus.fccf.net [185.117.82.79]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3884E865E3 for ; Wed, 15 May 2019 10:59:00 +0000 (UTC) (envelope-from roam@ringlet.net) Received: from straylight.m.ringlet.net (unknown [93.152.146.108]) by nimbus.fccf.net (Postfix) with ESMTPSA id 231553EA for ; Wed, 15 May 2019 13:53:08 +0300 (EEST) Received: from roam (uid 1000) (envelope-from roam@ringlet.net) id 621a36 by straylight.m.ringlet.net (DragonFly Mail Agent v0.11); Wed, 15 May 2019 13:53:05 +0300 Date: Wed, 15 May 2019 13:53:05 +0300 From: Peter Pentchev To: grarpamp Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: ZombieLoad Attack: Intel Exploits You... Again! Message-ID: <20190515105305.GL18665@straylight.m.ringlet.net> Mail-Followup-To: grarpamp , freebsd-security@freebsd.org, freebsd-questions@freebsd.org References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="1X+6QtwRodzgDPAC" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Rspamd-Queue-Id: 3884E865E3 X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of roam@ringlet.net designates 185.117.82.79 as permitted sender) smtp.mailfrom=roam@ringlet.net X-Spamd-Result: default: False [2.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(0.00)[+mx]; URIBL_RED(3.50)[zombieloadattack.com.multi.uribl.com]; SEM_URIBL_FRESH15(3.00)[zombieloadattack.com.fresh15.spameatingmonkey.net]; RCVD_COUNT_THREE(0.00)[3]; MX_GOOD(-0.01)[cached: nimbus.fccf.net]; HAS_ANON_DOMAIN(0.10)[]; NEURAL_HAM_SHORT(-0.16)[-0.162,0]; SUBJECT_ENDS_EXCLAIM(0.00)[]; SIGNED_PGP(-2.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:200533, ipnet:185.117.82.0/24, country:BG]; IP_SCORE(0.01)[country: BG(0.05)]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.96)[-0.960,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-0.89)[-0.890,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[ringlet.net]; BAD_REP_POLICIES(0.10)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; GREYLIST(0.00)[pass,body] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 10:59:01 -0000 --1X+6QtwRodzgDPAC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 15, 2019 at 03:24:54AM -0400, grarpamp wrote: > https://zombieloadattack.com/ > https://zombieloadattack.com/zombieload.pdf > https://www.cyberus-technology.de/posts/2019-05-14-zombieload.html > https://github.com/IAIK/ZombieLoad > https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-12130 > https://www.youtube.com/watch?v=3DwQvgyChrk_g >=20 > FreeBSD people... > See linux patches in and update your microcode, ports, etc. So... https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.asc = then? G'luck, Peter --=20 Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 --1X+6QtwRodzgDPAC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAlzb74sACgkQZR7vsCUn 3xNDGxAAyhgyjMWgJwjAHUpOy83DeH/fTOZW6tn1riPrHe0iTEmcC9EceJvo+zqi XQV23to4PJ9UnMDoPIHfKYGv5vQxXU7zTXLpyHXNxUDF8TfI2LqOw9Y+zlB102Z7 YbMnrZK8846J/lT4NN+ITVuTAS2qc4TTtDlYrSsRAUDx3jACoLr26n2xx6XxbMfw DQC2o7J2sr7WUYZK/V6dVXFp+0DcJ3xWMfG4vZ/IDlOJhhnfIaAsxgbcLt+qcC9/ F/WHiLJQsp5+orjpCSJ9UOSJZxtE8e3ZtzbwIGpAtPHKTy+iuOicfs+ooLfcfg3D TwKTfER6ru/CZ5cnIbkYdxh/kYHcTyigbQvV4kSWHHrmN907uVYgVLXISCqdr65a U6NobX52ipGrKdTnficQU6MgQbD6zsdRMCs0gYuZxljzlbmnAAh18qlwUyMxSBli XpcXbOYwHifbwI0r9fcEJl1XokowUyEgzaTxaMfOoHKW5rq7UEBzcyoB3dvbN4sl 4tFX4eznVUoUMaRur8cX75SEBlBaDGrm2qRQOrTYJovY5dc7QXWLBNqQLAX8woW0 Qj0FWwrhbhtPMzRGy5fWoIhJUjKH8/rRyEuskWcQuh9z9unOr1l/qeZNuIQGGn47 fa2DsFbJjyLiEyQggStVD8tGmU/9ds7QQPd7s3HBWdMErWA7NPY= =jf60 -----END PGP SIGNATURE----- --1X+6QtwRodzgDPAC-- From owner-freebsd-security@freebsd.org Wed May 15 12:18:42 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F0D3158FD55 for ; Wed, 15 May 2019 12:18:42 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Received: from smtp1.redcom.com (smtp1.redcom.com [192.86.3.143]) by mx1.freebsd.org (Postfix) with ESMTP id B1429896E5 for ; Wed, 15 May 2019 12:18:41 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Received: from localhost (localhost [127.0.0.1]) by smtp1.redcom.com (Postfix) with ESMTP id 9A95CA0D4 for ; Wed, 15 May 2019 08:18:35 -0400 (EDT) X-Virus-Scanned: amavisd-new at redcom.com Received: from smtp1.redcom.com ([127.0.0.1]) by localhost (smtp1.redcom.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f4+2WZsR77hC for ; Wed, 15 May 2019 08:18:33 -0400 (EDT) Received: from pie.redcom.com (pie [192.168.33.15]) by smtp1.redcom.com (Postfix) with ESMTP id CA423A043 for ; Wed, 15 May 2019 08:18:33 -0400 (EDT) Received: from exch-02.redcom.com (exch-02.redcom.com [192.168.32.9]) by pie.redcom.com (8.11.7p1+Sun/8.10.2) with ESMTP id x4FCIXf27954 for ; Wed, 15 May 2019 08:18:33 -0400 (EDT) Received: from exch-02.redcom.com (fd00::ccaa:c259:22f8:6f4b) by exch-02.redcom.com (fd00::ccaa:c259:22f8:6f4b) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 15 May 2019 08:18:33 -0400 Received: from exch-02.redcom.com ([fe80::ccaa:c259:22f8:6f4b]) by exch-02.redcom.com ([fe80::ccaa:c259:22f8:6f4b%12]) with mapi id 15.00.1473.003; Wed, 15 May 2019 08:18:33 -0400 From: "Wall, Stephen" To: "freebsd-security@freebsd.org" Subject: RE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds Thread-Topic: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds Thread-Index: AQHVCrc/ciY74VacHk2HoZYJsEJMo6ZsGJLQ Date: Wed, 15 May 2019 12:18:32 +0000 Message-ID: References: <20190515000302.44CBB1AB79@freefall.freebsd.org> In-Reply-To: <20190515000302.44CBB1AB79@freefall.freebsd.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [192.168.84.20] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Rspamd-Queue-Id: B1429896E5 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of stephen.wall@redcom.com designates 192.86.3.143 as permitted sender) smtp.mailfrom=stephen.wall@redcom.com X-Spamd-Result: default: False [-2.42 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.980,0]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:192.86.3.143/32]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[redcom.com]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.99)[-0.991,0]; IP_SCORE(-0.01)[country: US(-0.06)]; MX_GOOD(-0.01)[smtp1.redcom.com]; NEURAL_HAM_SHORT(-0.23)[-0.227,0]; TO_DN_EQ_ADDR_ALL(0.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:46679, ipnet:192.86.3.0/24, country:US]; RCVD_COUNT_SEVEN(0.00)[7] X-Mailman-Approved-At: Wed, 15 May 2019 13:21:21 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 12:18:42 -0000 > New CPU microcode may be available in a BIOS update from your system vend= or, > or by installing the devcpu-data package or sysutils/devcpu-data port. > Ensure that the BIOS update or devcpu-data package is dated after 2014-05= -14. >=20 > If using the package or port the microcode update can be applied at boot = time > by adding the following lines to the system's /boot/loader.conf: >=20 > cpu_microcode_load=3D"YES" > cpu_microcode_name=3D"/boot/firmware/intel-ucode.bin" Is this applicable in a virtualized environment, or only on bare metal? If not applicable in a VM, is it at least harmless? Thanks - Steve Wall From owner-freebsd-security@freebsd.org Wed May 15 13:32:25 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2EFF1591A53 for ; Wed, 15 May 2019 13:32:25 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 159ED8BD3C for ; Wed, 15 May 2019 13:32:15 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [192.168.43.29] ([192.168.43.29]) by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTPS id x4FDWBl9045252 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NO); Wed, 15 May 2019 09:32:12 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds To: "Wall, Stephen" , "freebsd-security@freebsd.org" References: <20190515000302.44CBB1AB79@freefall.freebsd.org> From: mike tancsa Message-ID: <31b178d5-9998-d2a3-cc4c-d3f7d574743a@sentex.net> Date: Wed, 15 May 2019 09:32:12 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US X-Rspamd-Queue-Id: 159ED8BD3C X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::18 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-1.43 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; NEURAL_HAM_LONG(-1.00)[-0.998,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sentex.net]; RDNS_NONE(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[smtp.sentex.ca]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.91)[-0.912,0]; NEURAL_HAM_MEDIUM(-0.98)[-0.980,0]; IP_SCORE(-1.73)[ipnet: 2607:f3e0::/32(-4.95), asn: 11647(-3.59), country: CA(-0.09)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; HFILTER_HOSTNAME_UNKNOWN(2.50)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 13:32:25 -0000 On 5/15/2019 8:18 AM, Wall, Stephen wrote: >> New CPU microcode may be available in a BIOS update from your system v= endor, >> or by installing the devcpu-data package or sysutils/devcpu-data port.= >> Ensure that the BIOS update or devcpu-data package is dated after 2014= -05-14. >> >> If using the package or port the microcode update can be applied at bo= ot time >> by adding the following lines to the system's /boot/loader.conf: >> >> cpu_microcode_load=3D"YES" >> cpu_microcode_name=3D"/boot/firmware/intel-ucode.bin" > Is this applicable in a virtualized environment, or only on bare metal?= > If not applicable in a VM, is it at least harmless? Actually, just tried this on RELENG_11 (r347613)=C2=A0 and I get don't know how to load module '/boot/firmware/intel-ucode.bin' In boot/loader.conf I have cpu_microcode_load=3D"YES" cpu_microcode_name=3D"/boot/firmware/intel-ucode.bin" # ls -l /boot/firmware/intel-ucode.bin -rw-r--r--=C2=A0 1 root=C2=A0 wheel=C2=A0 uarch 2571264 May 15 08:47 /boot/firmware/intel-ucode.bin # sha256 /boot/firmware/intel-ucode.bin SHA256 (/boot/firmware/intel-ucode.bin) =3D 1fdb3a25467d285394eded8039ee8ab488f074903654981d35a4cdfe6ebf12fc From owner-freebsd-security@freebsd.org Wed May 15 14:28:03 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ABC831592D30 for ; Wed, 15 May 2019 14:28:03 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from cu1176c.smtpx.saremail.com (cu1176c.smtpx.saremail.com [195.16.148.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 792968D52A for ; Wed, 15 May 2019 14:28:02 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from [172.16.8.250] (unknown [192.148.167.11]) by proxypop02.sare.net (Postfix) with ESMTPA id 0B2EA9DC527; Wed, 15 May 2019 16:27:50 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds From: Borja Marcos In-Reply-To: <31b178d5-9998-d2a3-cc4c-d3f7d574743a@sentex.net> Date: Wed, 15 May 2019 16:27:49 +0200 Cc: "Wall, Stephen" , "freebsd-security@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: References: <20190515000302.44CBB1AB79@freefall.freebsd.org> <31b178d5-9998-d2a3-cc4c-d3f7d574743a@sentex.net> To: mike tancsa X-Mailer: Apple Mail (2.3445.104.11) X-Rspamd-Queue-Id: 792968D52A X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.80 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:195.16.148.0/24]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[smtp.sarenet.es,smtp.sarenet.es,smtp.sarenet.es]; DMARC_POLICY_ALLOW(-0.50)[sarenet.es,reject]; RCVD_IN_DNSWL_NONE(0.00)[151.148.16.195.list.dnswl.org : 127.0.10.0]; NEURAL_HAM_SHORT(-0.99)[-0.992,0]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; IP_SCORE(-2.50)[ip: (-6.76), ipnet: 195.16.128.0/19(-3.31), asn: 3262(-2.46), country: ES(0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3262, ipnet:195.16.128.0/19, country:ES]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 14:28:03 -0000 > On 15 May 2019, at 15:32, mike tancsa wrote: >=20 > Actually, just tried this on RELENG_11 (r347613) and I get >=20 > don't know how to load module '/boot/firmware/intel-ucode.bin' >=20 > In boot/loader.conf I have >=20 > cpu_microcode_load=3D"YES" > cpu_microcode_name=3D"/boot/firmware/intel-ucode.bin=E2=80=9D I used this: microcode_update_enable=3D=E2=80=9CYES" on /etc/rc.conf with the devcpu-data port installed and as far as I know = it updated the microcode. The script in /usr/local/etc/rc.d used cpucontrol(8) to load it. Or am I holding it wrong?=20 Borja. From owner-freebsd-security@freebsd.org Wed May 15 14:29:57 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9E56E1592F1E for ; Wed, 15 May 2019 14:29:57 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [IPv6:2a01:4f8:171:f902::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 920D38D6E3 for ; Wed, 15 May 2019 14:29:56 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from crest.bultmann.eu (unknown [IPv6:2a00:c380:c0d5:1:4173:7ee5:560:b0c1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id C9829D12E for ; Wed, 15 May 2019 14:29:46 +0000 (UTC) Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds To: freebsd-security@freebsd.org References: <20190515000302.44CBB1AB79@freefall.freebsd.org> From: Jan Bramkamp Message-ID: <4d441f47-b81c-bcde-c7e2-a8906c4d134b@rlwinm.de> Date: Wed, 15 May 2019 16:29:46 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Rspamd-Queue-Id: 920D38D6E3 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of crest@rlwinm.de designates 2a01:4f8:171:f902::5 as permitted sender) smtp.mailfrom=crest@rlwinm.de X-Spamd-Result: default: False [-4.03 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; DMARC_NA(0.00)[rlwinm.de]; MX_GOOD(-0.01)[mail.rlwinm.de]; NEURAL_HAM_SHORT(-0.94)[-0.943,0]; IP_SCORE(-0.78)[ipnet: 2a01:4f8::/29(-2.09), asn: 24940(-1.78), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 14:29:57 -0000 On 15.05.19 14:18, Wall, Stephen wrote: >> New CPU microcode may be available in a BIOS update from your system vendor, >> or by installing the devcpu-data package or sysutils/devcpu-data port. >> Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14. >> >> If using the package or port the microcode update can be applied at boot time >> by adding the following lines to the system's /boot/loader.conf: >> >> cpu_microcode_load="YES" >> cpu_microcode_name="/boot/firmware/intel-ucode.bin" > Is this applicable in a virtualized environment, or only on bare metal? > If not applicable in a VM, is it at least harmless? Afaik you can't modify the microcode inside a VM, but give them time. I'm sure Intel optimized that security check away as well in some corner case yet to be discovered. From owner-freebsd-security@freebsd.org Wed May 15 14:32:07 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E8D181593131 for ; Wed, 15 May 2019 14:32:06 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A8D298DB19 for ; Wed, 15 May 2019 14:32:05 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-io1-xd2f.google.com with SMTP id e19so2406849iob.3 for ; Wed, 15 May 2019 07:32:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=/bqShCJvbebTfXphXs2C/UXLiR7nahJYultp6qowfs4=; b=X1BiAHyL6RP7e0ieTkFrWexO4Y3r51/ZWn4Yk0uSBh196nIx+GL/7F/CUZdp0wX85S lJSs1YZJj73Vo7UuFjKPMsqCyqPlJUSjhPxDaDsyGhgQvwsUhm64B44x3GiHOjK4gicH j0q0QRs91ddA5H+gX+c7UJZ2xExO1KTTn7QtBC/fz92u9sLzccdZi52tsk9nHaFzbTI5 TDqXM9l8JCfdglWIfXfw+ZL3It7pSfQ8yk8Oz4VibSTnxKIYdTABrKpMEwKFzluOeOSW pUpdKr1lLZE8LH45bMhpBBEeeisMHo+vNRymY894QtZ163EISR48oKd6ik9pm7MaCLzk B8Tw== X-Gm-Message-State: APjAAAXCorJPWBj5QynClKsGpobEQiEBSrNf9YID682fRSDoT2oIWtl1 ZA0P90I7vwbdT0KrSx6Dt0bQvVsldxM= X-Google-Smtp-Source: APXvYqzQz0rJh34dOn+6U5WftbvFos0J+a4vLzckNvrYzGxkscd0jLgBSONx5Z4LWCZab2FQoPV/pw== X-Received: by 2002:a6b:8d12:: with SMTP id p18mr4890087iod.266.1557930724602; Wed, 15 May 2019 07:32:04 -0700 (PDT) Received: from ?IPv6:2607:fb90:17df:d266:b07b:3132:142:8b3b? ([2607:fb90:17df:d266:b07b:3132:142:8b3b]) by smtp.gmail.com with ESMTPSA id c16sm708033iod.86.2019.05.15.07.32.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 May 2019 07:32:02 -0700 (PDT) Content-Type: multipart/signed; boundary=Apple-Mail-884DEE61-F359-437C-A1F6-B008F798C086; protocol="application/pkcs7-signature"; micalg=sha-256 Mime-Version: 1.0 (1.0) Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds From: "J. Hellenthal" X-Mailer: iPhone Mail (16F156) In-Reply-To: <31b178d5-9998-d2a3-cc4c-d3f7d574743a@sentex.net> Date: Wed, 15 May 2019 09:32:01 -0500 Cc: "Wall, Stephen" , "freebsd-security@freebsd.org" Content-Transfer-Encoding: 7bit Message-Id: References: <20190515000302.44CBB1AB79@freefall.freebsd.org> <31b178d5-9998-d2a3-cc4c-d3f7d574743a@sentex.net> To: mike tancsa X-Rspamd-Queue-Id: A8D298DB19 X-Spamd-Bar: -------- X-Spamd-Result: default: False [-8.47 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MV_CASE(0.50)[]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[dataix.net:+]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,reject]; MX_GOOD(-0.01)[alt1.aspmx.l.google.com,aspmx.l.google.com,aspmx2.googlemail.com,alt2.aspmx.l.google.com,aspmx3.googlemail.com]; NEURAL_HAM_SHORT(-0.98)[-0.978,0]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-2.88)[ip: (-8.80), ipnet: 2607:f8b0::/32(-3.26), asn: 15169(-2.27), country: US(-0.06)]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; FROM_HAS_DN(0.00)[]; SIGNED_SMIME(-2.00)[]; RCPT_COUNT_THREE(0.00)[3]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[f.2.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 14:32:07 -0000 --Apple-Mail-884DEE61-F359-437C-A1F6-B008F798C086 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable cpu_microcode_load=3D"intel-ucode=E2=80=9D Don=E2=80=99t remember that as needing to be yes but could be wrong. --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a= lot about anticipated traffic volume. > On May 15, 2019, at 08:32, mike tancsa wrote: >=20 > cpu_microcode_load=3D" --Apple-Mail-884DEE61-F359-437C-A1F6-B008F798C086 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCBTIw ggUuMIIEFqADAgECAg8iC1LwIW7jk98vVRlOTK8wDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNVBAYT AkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNV BAoTD1NlY3RpZ28gTGltaXRlZDE+MDwGA1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRp Y2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTkwMzMxMDAwMDAwWhcNMjAwMzMwMjM1OTU5 WjAnMSUwIwYJKoZIhvcNAQkBFhZqaGVsbGVudGhhbEBkYXRhaXgubmV0MIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAx5DLpxSGFGx4g+VMCavS4OBn/b63m2BzMXZTZC+ubScDw6MmU+3z 9v9fdgXVPT61oP6yNrMhrhIKk+PsDW3Ww2T5x5YNGixXyEGv4r1J3WvRg3OlEi4owUH8kZGxTWoF GAOXn7LFnzLDaSsXCsKyBp7kkHohqFMy1fpGzPskMdZu3naKTdf47/ts8708z8ZdsADHhpVS10yb TZcNTgyQLLf//X1ScqqB02YkCCat3zKuT3IKKnwbn9h8o1OHJ6MiqyLwURzfJzgtnKrHXJvapv9V uIZEwSjj+wWFSduwbX5F0QugkjwjSzqj5EBGEKQF7UwgP594qAK0FBNxBs6sSwIDAQABo4IB5TCC AeEwHwYDVR0jBBgwFoAUCcDy/AvalNtf/ivfqJlCz8ngrQAwHQYDVR0OBBYEFPLmIJL0TOf54uon wjvXFkHbdWxKMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUF BwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwQAYDVR0gBDkwNzA1BgwrBgEEAbIx AQIBAQEwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwWgYDVR0fBFMwUTBP oE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBQ2xpZW50QXV0aGVudGljYXRp b25hbmRTZWN1cmVFbWFpbENBLmNybDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRw Oi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3Vy ZUVtYWlsQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAhBgNVHREE GjAYgRZqaGVsbGVudGhhbEBkYXRhaXgubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQC77SlUYzSbLTaM +NjM+mGYsv3CdaNuz0MCjDfllMFRSFrL6qhf683mJxFl8AwjMEj1ohDf1VNaHos7VLNBidZiZ6Dc XLc44DN74Nl0WTnYiZlmDHgvUK5A1A0qBbiq7NYkWs2Tyc7R+esrqJEh2NM6AZphKBmUtbdipaPK LhUT6Dvep/UoHb34BSkL5OJYgoXpZdP4L1XlKt/HoeUMaMRd1GyHieSfOWnbG3tOPPgco9zBsOv0 wxPs6yF1wOihP668voM6lCYNnykGK9jUFvzwzQ/g8Rs4Z2vWv90K/+S4lfGcSrbQlZpe2OYTc1xB Q984bw1gR4yHvsSM+SzAhwyUMYIDwTCCA70CAQEwgaowgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQI ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28g TGltaXRlZDE+MDwGA1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBT ZWN1cmUgRW1haWwgQ0ECDyILUvAhbuOT3y9VGU5MrzANBglghkgBZQMEAgEFAKCCAecwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTkwNTE1MTQzMjAxWjAvBgkqhkiG 9w0BCQQxIgQg8B6tea6BCitO/9DopM1ctc/1eiEWjXH6khqqI+ZL93gwgbsGCSsGAQQBgjcQBDGB rTCBqjCBljELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE BxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT4wPAYDVQQDEzVTZWN0aWdvIFJT QSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIPIgtS8CFu45PfL1UZ TkyvMIG9BgsqhkiG9w0BCRACCzGBraCBqjCBljELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0 ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVk MT4wPAYDVQQDEzVTZWN0aWdvIFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBF bWFpbCBDQQIPIgtS8CFu45PfL1UZTkyvMA0GCSqGSIb3DQEBAQUABIIBAGTVPcRSEcYatVZ44dil 8liaLuo4YN5UOI4nySTUDVWBYNrN6INKPx8ctoYuBtXrHGEWhwmIAO9wKzEelwWVR0CgRP+cnvPq BV+LW8yTnKlK0z9XNVGi5LmVd7GddkLYrjGFeYmTsXfvOicRcmgdpooHT9nqBbqvDTG9FFdtBRnt hAcmBcrQOAxKA3B/aEcsCcson+3Sz9iBtpR5KcGGzzhWfvX8pc5kfk6+C+3Ef1CNooD/+iyaRUhg NUz4aGQWcsPfN/ZP0OtSjJuAGdcDYFmjuljx56CfdOfN1zDTHBR5oTzdmBv5a/moQADf+GUJIuKT lEwHbmBcW4igyr7uBFIAAAAAAAA= --Apple-Mail-884DEE61-F359-437C-A1F6-B008F798C086-- From owner-freebsd-security@freebsd.org Wed May 15 14:33:32 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4A9D1593473 for ; Wed, 15 May 2019 14:33:31 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2748A8DCD1 for ; Wed, 15 May 2019 14:33:31 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [192.168.43.29] ([192.168.43.29]) by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTPS id x4FEXRSW049234 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NO); Wed, 15 May 2019 10:33:28 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds To: Borja Marcos Cc: "Wall, Stephen" , "freebsd-security@freebsd.org" References: <20190515000302.44CBB1AB79@freefall.freebsd.org> <31b178d5-9998-d2a3-cc4c-d3f7d574743a@sentex.net> From: mike tancsa Message-ID: <40f27bee-caa2-75a7-459d-3491ff22ebfb@sentex.net> Date: Wed, 15 May 2019 10:33:28 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US X-Rspamd-Queue-Id: 2748A8DCD1 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::18 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-1.42 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; NEURAL_HAM_LONG(-1.00)[-0.998,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sentex.net]; RDNS_NONE(1.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: smtp.sentex.ca]; NEURAL_HAM_SHORT(-0.90)[-0.902,0]; NEURAL_HAM_MEDIUM(-0.98)[-0.983,0]; IP_SCORE(-1.73)[ipnet: 2607:f3e0::/32(-4.95), asn: 11647(-3.59), country: CA(-0.09)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; HFILTER_HOSTNAME_UNKNOWN(2.50)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 14:33:32 -0000 On 5/15/2019 10:27 AM, Borja Marcos wrote: > >> On 15 May 2019, at 15:32, mike tancsa wrote: >> >> Actually, just tried this on RELENG_11 (r347613) and I get >> >> don't know how to load module '/boot/firmware/intel-ucode.bin' >> >> In boot/loader.conf I have >> >> cpu_microcode_load=3D"YES" >> cpu_microcode_name=3D"/boot/firmware/intel-ucode.bin=E2=80=9D > I used this: > microcode_update_enable=3D=E2=80=9CYES" > > > on /etc/rc.conf with the devcpu-data port installed and as far as I kno= w it updated the microcode. > > The script in /usr/local/etc/rc.d used cpucontrol(8) to load it. > > Or am I holding it wrong?=20 Supposedly 2 ways to do it. When you install the port, it writes .... and I missed the part where it says running FreeBSD 12.0.... --------------------- Installing this port will allow host startup to update the CPU microcode = on a FreeBSD system automatically.=C2=A0 There are two methods for updating = CPU microcode: the first methods loads and applies the update before the kern= el begins booting, and the second method loads and applies updates using an rc script.=C2=A0 The first method is preferred, but is currently only sup= ported on Intel i386 and amd64 processors running FreeBSD 12.0.=C2=A0 It is safe= to enable both methods. The first method ensures that any CPU features introduced by a microcode update are visible to the kernel.=C2=A0 In other words, the update is loa= ded before the kernel performs CPU feature detection. To enable updates using the first method, add the following lines to the system's /boot/loader.conf: cpu_microcode_load=3D"YES" cpu_microcode_name=3D"/boot/firmware/intel-ucode.bin" =C2=A0=C2=A0=C2=A0 ---Mike > > > Borja. > > From owner-freebsd-security@freebsd.org Wed May 15 14:36:28 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 774821593873 for ; Wed, 15 May 2019 14:36:28 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from cu1176c.smtpx.saremail.com (cu1176c.smtpx.saremail.com [195.16.148.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 952218E03E for ; Wed, 15 May 2019 14:36:27 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from [172.16.8.250] (unknown [192.148.167.11]) by proxypop02.sare.net (Postfix) with ESMTPA id 91D3A9DC7AF; Wed, 15 May 2019 16:36:24 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds From: Borja Marcos In-Reply-To: <40f27bee-caa2-75a7-459d-3491ff22ebfb@sentex.net> Date: Wed, 15 May 2019 16:36:23 +0200 Cc: "Wall, Stephen" , "freebsd-security@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <2ED92A32-85D6-4026-8368-6C6050F7DE47@sarenet.es> References: <20190515000302.44CBB1AB79@freefall.freebsd.org> <31b178d5-9998-d2a3-cc4c-d3f7d574743a@sentex.net> <40f27bee-caa2-75a7-459d-3491ff22ebfb@sentex.net> To: mike tancsa X-Mailer: Apple Mail (2.3445.104.11) X-Rspamd-Queue-Id: 952218E03E X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.92 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:195.16.148.0/24]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: smtp.sarenet.es]; DMARC_POLICY_ALLOW(-0.50)[sarenet.es,reject]; RCVD_IN_DNSWL_NONE(0.00)[151.148.16.195.list.dnswl.org : 127.0.10.0]; NEURAL_HAM_SHORT(-0.99)[-0.989,0]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; IP_SCORE(-2.62)[ip: (-7.20), ipnet: 195.16.128.0/19(-3.39), asn: 3262(-2.54), country: ES(0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3262, ipnet:195.16.128.0/19, country:ES]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 14:36:28 -0000 > On 15 May 2019, at 16:33, mike tancsa wrote: >=20 >> on /etc/rc.conf with the devcpu-data port installed and as far as I = know it updated the microcode. >>=20 >> The script in /usr/local/etc/rc.d used cpucontrol(8) to load it. >>=20 >> Or am I holding it wrong?=20 >=20 > Supposedly 2 ways to do it. When you install the port, it writes .... > and I missed the part where it says running FreeBSD 12.0=E2=80=A6. Ah yes, I've always been doing this since FreeBSD 11. Using the port, = not the loader.conf stuff. Borja. From owner-freebsd-security@freebsd.org Wed May 15 15:06:50 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 709DF1594E8E for ; Wed, 15 May 2019 15:06:50 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8C9A88F725; Wed, 15 May 2019 15:06:49 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by mail-io1-xd2a.google.com with SMTP id x24so2491930ion.5; Wed, 15 May 2019 08:06:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=UaLc0NKzFnPvO34QO92Vtsu+IX2+6mPv8SaAdmx2VZg=; b=qNLyUnKdLlj0b/N5KqwgiVeZsZSaM78TrINsAnKb7GO6rUEivpSDOcua7eQzli//Xt OwiTbttLqC8S9L1Gi+mz1VB/ECaJUoBpV2tS7vvVwQUPHNSRN86XR+cfFku/Ntg1CS7d T5cFJMtImbFip2CdvwfrLYfkSmEdWQOVq88wRLmubuke9JG9euTD5C9Z8nwwHpM1YynQ s0aKDW9/ybO95Otv0aHGAozbO4kOeHJaw4zxZNiW2VVK0UzTKBtrWqWsl7oClEdMvMLf z6JQ9hMQD1/GAd9xKFHc7JjxwkFxRtA9MBR64UmFcXa2vPHcA1uDduloG4VnJrkgoDiI tthQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=UaLc0NKzFnPvO34QO92Vtsu+IX2+6mPv8SaAdmx2VZg=; b=aOONROSCXFQiV0aD1c9p7MsVOPv9coB21C/N+60Gtk4qcFWMn74ddihKG5C1z/AuUk OtXfAj1TK0UDosl/5GsL/Y53p+bk2WVd4fRDbnnHjZtZi9C06yadm3hF/68JijaaSSjn Y3mUOAFrz25LtSBsq167uzC22XPz3MdbBK3fwJZFGOkVMqQIwturkXf27CDg3EKk0Orb EhTbmOJyLWKYvQv60vcaMZE5Sx8nIf0oqdsH9OiyFh5NCk6JRGuFFqSQDi4DfZBCixRR eOjKJFCUdJ90Kregqhd5R7lNYmnwTlTauk7Z1hgUSDmnwc9p80shP8boZD/0x/YfJmg9 cZtw== X-Gm-Message-State: APjAAAUQJR4+IhTq3a1hkvAgUPETNv+O1koNd+Z92PJdhNoBGTb9m5+9 ZyDnBy4EFR0j7Z0L6XznQRO4KPRI X-Google-Smtp-Source: APXvYqyWrlZwPRbfUsdMQ8e3x7U1SFAViylADzmwdvewGeIA9P2zRBSZHCX77OVkak1/7EMDxOF/jw== X-Received: by 2002:a5d:8055:: with SMTP id b21mr19846238ior.241.1557932808076; Wed, 15 May 2019 08:06:48 -0700 (PDT) Received: from raichu (toroon0560w-lp140-01-69-159-36-31.dsl.bell.ca. [69.159.36.31]) by smtp.gmail.com with ESMTPSA id y13sm731550iol.68.2019.05.15.08.06.46 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 15 May 2019 08:06:47 -0700 (PDT) Sender: Mark Johnston Date: Wed, 15 May 2019 11:06:42 -0400 From: Mark Johnston To: Kyle Evans Cc: mike tancsa , "Wall, Stephen" , "freebsd-security@freebsd.org" Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds Message-ID: <20190515150642.GA62210@raichu> References: <20190515000302.44CBB1AB79@freefall.freebsd.org> <31b178d5-9998-d2a3-cc4c-d3f7d574743a@sentex.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.4 (2019-03-13) X-Rspamd-Queue-Id: 8C9A88F725 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=qNLyUnKd; spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates 2607:f8b0:4864:20::d2a as permitted sender) smtp.mailfrom=markjdb@gmail.com X-Spamd-Result: default: False [-5.69 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; NEURAL_HAM_SHORT(-0.98)[-0.980,0]; FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; IP_SCORE(-3.00)[ip: (-9.41), ipnet: 2607:f8b0::/32(-3.26), asn: 15169(-2.27), country: US(-0.06)]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[a.2.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; MID_RHS_NOT_FQDN(0.50)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 15:06:50 -0000 On Wed, May 15, 2019 at 09:33:50AM -0500, Kyle Evans wrote: > On Wed, May 15, 2019 at 8:33 AM mike tancsa wrote: > > > > On 5/15/2019 8:18 AM, Wall, Stephen wrote: > > >> New CPU microcode may be available in a BIOS update from your system vendor, > > >> or by installing the devcpu-data package or sysutils/devcpu-data port. > > >> Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14. > > >> > > >> If using the package or port the microcode update can be applied at boot time > > >> by adding the following lines to the system's /boot/loader.conf: > > >> > > >> cpu_microcode_load="YES" > > >> cpu_microcode_name="/boot/firmware/intel-ucode.bin" > > > Is this applicable in a virtualized environment, or only on bare metal? > > > If not applicable in a VM, is it at least harmless? > > > > > > Actually, just tried this on RELENG_11 (r347613) and I get > > > > don't know how to load module '/boot/firmware/intel-ucode.bin' > > > > In boot/loader.conf I have > > > > cpu_microcode_load="YES" > > cpu_microcode_name="/boot/firmware/intel-ucode.bin" > > > > # ls -l /boot/firmware/intel-ucode.bin > > -rw-r--r-- 1 root wheel uarch 2571264 May 15 08:47 > > /boot/firmware/intel-ucode.bin > > > > # sha256 /boot/firmware/intel-ucode.bin > > SHA256 (/boot/firmware/intel-ucode.bin) = > > 1fdb3a25467d285394eded8039ee8ab488f074903654981d35a4cdfe6ebf12fc > > > > r337715 + r337716 were responsible for making this work, and they've > not yet been MFC'd as far as I can tell. CC markj@, because that's > probably good to sneak in soon. I'm working on this. In any case, 11.2 doesn't have and won't get boot-time microcode update support, so an updated SA with instructions for 11 will be released shortly. From owner-freebsd-security@freebsd.org Wed May 15 14:34:44 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71B3A159363D for ; Wed, 15 May 2019 14:34:44 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 160BA8DE89; Wed, 15 May 2019 14:34:44 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-lf1-f49.google.com (mail-lf1-f49.google.com [209.85.167.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id A3D87F111; Wed, 15 May 2019 14:34:43 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-lf1-f49.google.com with SMTP id q17so10244lfo.4; Wed, 15 May 2019 07:34:43 -0700 (PDT) X-Gm-Message-State: APjAAAXjgzgjd9CWISVqZqqVr0DUuUayXNmbBUzNsGo+4eEVmOXb6wm3 7jQ+VHX6Qraxaois9eb+AHxLtG0CP0hOi6azE90= X-Google-Smtp-Source: APXvYqz5jChxJGn4Xd389HHEggXBoRQmOfL12MIIzfrX+AW7EKiJfvaZqrn/hyubLWgxPPhEUiq/P6t3/jkqfwZFNcU= X-Received: by 2002:ac2:4315:: with SMTP id l21mr20109764lfh.143.1557930882287; Wed, 15 May 2019 07:34:42 -0700 (PDT) MIME-Version: 1.0 References: <20190515000302.44CBB1AB79@freefall.freebsd.org> <31b178d5-9998-d2a3-cc4c-d3f7d574743a@sentex.net> In-Reply-To: <31b178d5-9998-d2a3-cc4c-d3f7d574743a@sentex.net> From: Kyle Evans Date: Wed, 15 May 2019 09:33:50 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds To: mike tancsa Cc: "Wall, Stephen" , "freebsd-security@freebsd.org" , Mark Johnston Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 160BA8DE89 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.96)[-0.960,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-Mailman-Approved-At: Wed, 15 May 2019 16:34:48 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 14:34:44 -0000 On Wed, May 15, 2019 at 8:33 AM mike tancsa wrote: > > On 5/15/2019 8:18 AM, Wall, Stephen wrote: > >> New CPU microcode may be available in a BIOS update from your system vendor, > >> or by installing the devcpu-data package or sysutils/devcpu-data port. > >> Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14. > >> > >> If using the package or port the microcode update can be applied at boot time > >> by adding the following lines to the system's /boot/loader.conf: > >> > >> cpu_microcode_load="YES" > >> cpu_microcode_name="/boot/firmware/intel-ucode.bin" > > Is this applicable in a virtualized environment, or only on bare metal? > > If not applicable in a VM, is it at least harmless? > > > Actually, just tried this on RELENG_11 (r347613) and I get > > don't know how to load module '/boot/firmware/intel-ucode.bin' > > In boot/loader.conf I have > > cpu_microcode_load="YES" > cpu_microcode_name="/boot/firmware/intel-ucode.bin" > > # ls -l /boot/firmware/intel-ucode.bin > -rw-r--r-- 1 root wheel uarch 2571264 May 15 08:47 > /boot/firmware/intel-ucode.bin > > # sha256 /boot/firmware/intel-ucode.bin > SHA256 (/boot/firmware/intel-ucode.bin) = > 1fdb3a25467d285394eded8039ee8ab488f074903654981d35a4cdfe6ebf12fc > r337715 + r337716 were responsible for making this work, and they've not yet been MFC'd as far as I can tell. CC markj@, because that's probably good to sneak in soon. From owner-freebsd-security@freebsd.org Wed May 15 18:16:24 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BCBD4159B8E1 for ; Wed, 15 May 2019 18:16:23 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F3AF369EFE; Wed, 15 May 2019 18:16:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id C2694A0A9; Wed, 15 May 2019 18:16:22 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:07.mds [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515181622.C2694A0A9@freefall.freebsd.org> Date: Wed, 15 May 2019 18:16:22 +0000 (UTC) X-Rspamd-Queue-Id: F3AF369EFE X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.995,0]; NEURAL_HAM_SHORT(-0.97)[-0.965,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 18:16:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:07.mds Security Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits: Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects: All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision history v1.0 2019-05-14 Initial release. v1.1 2019-05-15 Fixed date on microcode update package. v1.2 2019-05-15 Userland startup microcode update details added. Add language specifying which manufacturers is affected. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Only Intel x86 based processors are affected. x86 processors from other manufacturers (eg, AMD) are not believed to be vulnerable. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf' # shutdown -r +10min "Security update" V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14. If using the package or port the Intel microcode update can be applied at boot time (only on FreeBSD 12 and later) by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" To automatically load microcode during userland startup (supported on all FreeBSD versions), add the following to /etc/rc.conf: microcode_update_enable="YES" 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in . Mitigation Configuration Systems with users, processes, or virtual machines in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf To activate the MDS mitigation set the hw.mds_disable sysctl. The settings are: 0 - mitigation disabled 1 - VERW instruction (microcode) mitigation enabled 2 - Software sequence mitigation enabled (not recommended) 3 - Automatic VERW or Software selection Automatic mode uses the VERW instruction if supported by the CPU / microcode, or software sequences if not. To enable automatic mode at boot: # echo hw.mds_disable=3 >> /etc/sysctl.conf Reboot the system: # shutdown -r +10min "Security update" Check the mitigation status: # sysctl hw.mds_disable_state hw.mds_disable_state: software Silvermont VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r347567 releng/12.0/ r346594 stable/11/ r347568 releng/11.2/ r347595 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzcU9dfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKG7Q//XEf1kFc8JABZtSQT5XEP+J/CKMF+W+CqVmV6vLNimOeWVaw5BBWbtbhI 7BENuQRw2NcUbwrhwR+KYKWUN0rF0VQOk+m8JMYQxTu1WQfI9J8HDTXjmp1mfrx4 CbEjHuHCvGjezdURR0GIfAfkMjfDUEPEq05svPrEFIh2s4QagF7V2gunwNgprXJV ZzlA2IEUCx2KFbgbPjIJDY7ED0/VXrNeZU9G4R4t9+QSD2r21cF4kax8DLi5Rtz4 ducXhT5dG+reZXye6c+eryJvjBPEwI9zHth0xLMGHDJUeLAOUkZpNsciuEeNu96O 1EkGqYBKpJGcvsYBnYM0mD2Z23khqxEHWArIluJeVkdezlvREB42nLHQ9oin3opH ojdh57lkppQqVZ9GTHqQLRVbawiC7oNNWzoYq+ANSReqiIkpPCC3z3NsGDo1oYLK suMOAtxwPe6qq2Q9voN5lgHNR5w/x2uKxdYx8G8C40ynoFb1W1dQNdGVtmfRpvO5 lvZGWNsmxWBrlYlm8onpulw1WsPgOp9TmhIAO1IZHVhgsaoF9i1hu/BumOTjiQo0 Md4IiGAdPkU7nC3MjDm9jsD+bC6GaXwXkyryi1bpNE2feXVg4lvznyah2wQR2VVq +R3H0+iTHCOS9fEvWWpRIZWL2AfU78O+c/go9ZqqQvGAxVR/UwM= =pDA1 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed May 15 18:55:17 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4AA42159DCB1; Wed, 15 May 2019 18:55:17 +0000 (UTC) (envelope-from fernando.apesteguia@gmail.com) Received: from mail-ua1-f47.google.com (mail-ua1-f47.google.com [209.85.222.47]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C164D6C09D; Wed, 15 May 2019 18:55:15 +0000 (UTC) (envelope-from fernando.apesteguia@gmail.com) Received: by mail-ua1-f47.google.com with SMTP id 7so283495uah.1; Wed, 15 May 2019 11:55:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=G/hXPSrvwIPLPmrO0sJKQdHxg2I5M7+WuhSjtnEMbQ4=; b=JT7JExKbfJPp6+1oGGDoTCi7prSvDCqj+0UOf8W4JIVbB2GvArq8MZDfJt6pvtMfeq KtdqQ9q56b/u5SdRn+w/fqg+spfCH+sI1DdSNI+H9ORrCqvVc7LAC2OcF5kpTTayC3QS cmy5OSoD2/nX04PvXj2oGF6Tv119ULEYfdK2cvbTQ7RLi/CXpLCfaR5OIU/3OxXJZAEo VqSR9CUk5X2VbRMau8tyOH+QTn/uSeTa9duEnf8BRw9k0m3CYoy1Ob6AGdhZiDqedBbv C7Ktbd2P5ZTQL+PSC0vSqGNO+Ncld7gKeluitdV5+geUb+osgE2kYuyojfiOLHNSKSZw Jk1A== X-Gm-Message-State: APjAAAXgwf14ikieVid53bsm+PsEBlWPjkJlVSjEMgP4I/XxF82COo3K IQnDCAEj50x0de8I69Kz5xeNlF+PiSy9Vg== X-Google-Smtp-Source: APXvYqx3/pskFsnP/Cpm+YcJfeqhp9jVYaO/GEIpMBfDjrYaopaUXxfUth43FLXbGqkmQNYxzALrEQ== X-Received: by 2002:ab0:53cd:: with SMTP id l13mr10162690uaa.101.1557923861066; Wed, 15 May 2019 05:37:41 -0700 (PDT) Received: from mail-vk1-f178.google.com (mail-vk1-f178.google.com. [209.85.221.178]) by smtp.gmail.com with ESMTPSA id 69sm479832uas.0.2019.05.15.05.37.39 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Wed, 15 May 2019 05:37:39 -0700 (PDT) Received: by mail-vk1-f178.google.com with SMTP id r23so692046vkd.12; Wed, 15 May 2019 05:37:39 -0700 (PDT) X-Received: by 2002:a1f:2ccb:: with SMTP id s194mr18743281vks.24.1557923859489; Wed, 15 May 2019 05:37:39 -0700 (PDT) MIME-Version: 1.0 References: <20190515105305.GL18665@straylight.m.ringlet.net> In-Reply-To: <20190515105305.GL18665@straylight.m.ringlet.net> From: =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= Date: Wed, 15 May 2019 14:37:27 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: ZombieLoad Attack: Intel Exploits You... Again! To: grarpamp , freebsd-security@freebsd.org, freebsd-questions@freebsd.org X-Rspamd-Queue-Id: C164D6C09D X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of fernandoapesteguia@gmail.com designates 209.85.222.47 as permitted sender) smtp.mailfrom=fernandoapesteguia@gmail.com X-Spamd-Result: default: False [4.75 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(0.00)[+ip4:209.85.128.0/17]; URIBL_RED(3.50)[zombieloadattack.com.multi.uribl.com]; SEM_URIBL_FRESH15(3.00)[zombieloadattack.com.fresh15.spameatingmonkey.net]; RCVD_COUNT_THREE(0.00)[4]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; HAS_ANON_DOMAIN(0.10)[]; NEURAL_HAM_SHORT(-0.96)[-0.965,0]; SUBJECT_ENDS_EXCLAIM(0.00)[]; FORGED_SENDER(0.30)[fernape@freebsd.org,fernandoapesteguia@gmail.com]; FREEMAIL_TO(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; TAGGED_FROM(0.00)[]; ARC_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[fernape@freebsd.org,fernandoapesteguia@gmail.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-0.53)[-0.532,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_NA(0.00)[freebsd.org]; NEURAL_SPAM_MEDIUM(0.53)[0.529,0]; BAD_REP_POLICIES(0.10)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[47.222.85.209.list.dnswl.org : 127.0.5.0]; RCVD_TLS_LAST(0.00)[]; GREYLIST(0.00)[pass,body]; IP_SCORE(-1.17)[ipnet: 209.85.128.0/17(-3.55), asn: 15169(-2.26), country: US(-0.06)] X-Mailman-Approved-At: Wed, 15 May 2019 20:16:14 +0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 18:55:17 -0000 El mi=C3=A9., 15 may. 2019 13:06, Peter Pentchev escribi= =C3=B3: > On Wed, May 15, 2019 at 03:24:54AM -0400, grarpamp wrote: > > https://zombieloadattack.com/ > > https://zombieloadattack.com/zombieload.pdf > > https://www.cyberus-technology.de/posts/2019-05-14-zombieload.html > > https://github.com/IAIK/ZombieLoad > > https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-12130 > > https://www.youtube.com/watch?v=3DwQvgyChrk_g > > > > FreeBSD people... > > See linux patches in and update your microcode, ports, etc. > > So... https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.as= c > then? > So, a big applause is in order for the quick response. > G'luck, > Peter > > -- > Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} pp@storpool.com > PGP key: http://people.FreeBSD.org/~roam/roam.key.asc > Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 > From owner-freebsd-security@freebsd.org Wed May 15 23:37:28 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27C4F15A5372 for ; Wed, 15 May 2019 23:37:28 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 88FE476076; Wed, 15 May 2019 23:37:27 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 5F58AE2AD; Wed, 15 May 2019 23:37:27 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:07.mds Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515233727.5F58AE2AD@freefall.freebsd.org> Date: Wed, 15 May 2019 23:37:27 +0000 (UTC) X-Rspamd-Queue-Id: 88FE476076 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.95 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.95)[-0.948,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 23:37:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:07.mds Security Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits: Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects: All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-15 13:44:27 UTC (releng/12.0, 12.0-RELEASE-p5) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision history v1.0 2019-05-14 Initial release. v1.1 2019-05-15 Fixed date on microcode update package. v1.2 2019-05-15 Userland startup microcode update details added. Add language specifying which manufacturers is affected. v1.3 2019-05-15 Minor quoting nit for the HT disable loader config. v2.0 2019-05-15 Rerelease 12.0-RELEASE patch as -p5 due to i386 panic bug. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Only Intel x86 based processors are affected. x86 processors from other manufacturers (eg, AMD) are not believed to be vulnerable. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0' >> /boot/loader.conf # shutdown -r +10min "Security update" V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14. If using the package or port the Intel microcode update can be applied at boot time (only on FreeBSD 12 and later) by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" To automatically load microcode during userland startup (supported on all FreeBSD versions), add the following to /etc/rc.conf: microcode_update_enable="YES" 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [*** v2.0 NOTE *** Only applies to 12.0-RELEASE ***] Due to an error in the 12.0-RELEASE affecting the i386 architecture, a new set of patches is being released. If your 12.0-RELEASE sources are not yet patched using the initially published patch, then you need to apply the mds.12.0.patch. If your sources are already updated, or patched with the patch from the initial advisory, then you need to apply the incremental patch, named mds.12.0.p4p5.patch [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE, not patched with initial SA-19:07.mds patch] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 12.0-RELEASE, patched with initial SA-19:07.mds patch] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.p4p5.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.p4p5.patch.asc # gpg --verify mds.12.0.p4p5.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in . Mitigation Configuration Systems with users, processes, or virtual machines in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf To activate the MDS mitigation set the hw.mds_disable sysctl. The settings are: 0 - mitigation disabled 1 - VERW instruction (microcode) mitigation enabled 2 - Software sequence mitigation enabled (not recommended) 3 - Automatic VERW or Software selection Automatic mode uses the VERW instruction if supported by the CPU / microcode, or software sequences if not. To enable automatic mode at boot: # echo hw.mds_disable=3 >> /etc/sysctl.conf Reboot the system: # shutdown -r +10min "Security update" Check the mitigation status: # sysctl hw.mds_disable_state hw.mds_disable_state: software Silvermont VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r347567 releng/12.0/ r347632 stable/11/ r347568 releng/11.2/ r347595 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzciUJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKc2w//UxEu2JWDEJnpGuYv/Hh+PAEsWjzG2mCuFmriF7//deJTbwWybJk0DXhU n6HCdw47nG/uVaeVOw921BRpJMK9bqpqr80VXKturOacS6kaQmMCXS+ZyPytZT0K XJIgM3QrHsUUd6FnCHZ6Z6PBRLWl72RvNm8b2ZUE32puALlEeDCcd9PP3pyPITgj iU3gP05GafKzG/7liqQuWPffRqAq4oQyQYCjkRfBdPNlacACvbtAXNnDPnwkfIqg Si2Svj2TDS0eTxC5fspQtdWkKru50ZHTFFsoNhT33uX9L1Yr8ui+ajRG0Zxd81fj 0YGGat9QhzF6R2dywU75wXRveM/VMXj2wy5/CWBVI9kY84SeqcDDdkksG3iMC63Q ebkZF38kbZ85Xwpi3z2yHxw16yKg0pLNryW/GBp0xyJz5ivFhgpeFWEHfmjmiX+u Ka0E5RgCHh/eNAihbU8XN9MLnHToaX3mlEM+He+YsAXCMutaiSKaFpUhEs7uVmqu r8YIYLbxJcIfqrRyIJtn9RpWisxJfo/RVLyE3QDg7Pg5x6QeVysyuYkbeOdIk75e KW5B0b3eKh8Xu0mZqexdL9Hb1kEii5RxbSU5qLYoKfkMSo4/dLKgJwYZH61EC5cP dEj/KaIAdMA0VMi8XQfAsPIR4FKhKcd5tUazjBaW97WJjha0dog= =StiT -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu May 16 04:02:47 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4020F15AC248 for ; Thu, 16 May 2019 04:02:47 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 16A5C87DB6 for ; Thu, 16 May 2019 04:02:45 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 1FE6D3ACDA for ; Wed, 15 May 2019 21:02:39 -0700 (PDT) From: "Ronald F. Guilmette" To: freebsd-security@freebsd.org Subject: Re: ZombieLoad Attack: Intel Exploits You... Again! In-Reply-To: Date: Wed, 15 May 2019 21:02:38 -0700 Message-ID: <36771.1557979358@segfault.tristatelogic.com> X-Rspamd-Queue-Id: 16A5C87DB6 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of rfg@tristatelogic.com designates 69.62.255.118 as permitted sender) smtp.mailfrom=rfg@tristatelogic.com X-Spamd-Result: default: False [-2.08 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.977,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.98)[-0.978,0]; DMARC_NA(0.00)[tristatelogic.com]; NEURAL_SPAM_SHORT(0.10)[0.095,0]; MX_GOOD(-0.01)[mx1.tristatelogic.com]; SUBJECT_ENDS_EXCLAIM(0.00)[]; IP_SCORE(-0.01)[country: US(-0.06)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:14051, ipnet:69.62.128.0/17, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 May 2019 04:02:47 -0000 In message =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= wrote: >So, a big applause is in order for the quick response. +1 Thanks to everyone involved who has labored to try to keep us all safe.