From owner-freebsd-announce@freebsd.org Tue Apr 6 20:22:25 2021 Return-Path: Delivered-To: freebsd-announce@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 667865B7A5D for ; Tue, 6 Apr 2021 20:22:25 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FFJq52Tsnz4m7M; Tue, 6 Apr 2021 20:22:25 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740545; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=vh8s6TUcQA1AjcTC0zs14dViHD8SCu556d3yfQp8Tw8=; b=gSa2UKpZjcPy5Nk24H/Jl9g5MeZ0OExg3OlL3k1i2yzHBirBBMO4n+kt/iSEbadkVezHIy F4hvlhMnMB3PbEWbjmdwD+V6zLwcQWSp8NpZkgyfswuR6k39GEttBeLDviaNMvTSETo94E B6Szz74h60m6yGY4/SYivTU7E6GB2pOHU2DFmkFdH5aEMiPPfUxrVLHvLqqkkzPHEU0Biw VoVwUrAMRJq7uzat5u6/y6HTvTbSOnSoMpgZjJpwh87yMXldV49Bp9Z+nXmKyMG6kJSRfP JxOa+W+bHccoFXZduMAXne20QQa/TI5IrDX13h+elZK+nDoYAOouXuGNyQm7hw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 47A3A15C84; Tue, 6 Apr 2021 20:22:25 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20210406202225.47A3A15C84@freefall.freebsd.org> Date: Tue, 6 Apr 2021 20:22:25 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740545; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=vh8s6TUcQA1AjcTC0zs14dViHD8SCu556d3yfQp8Tw8=; b=YfP8ArC9hCwCqp+zFG5JGAWa693lpW48J5a4kvbAem3ukCk84am+INqaS5cExKTZulO9dG 4g1LJ6ecRuRv2EjhCI5cESTSsCRejLNlT1rzuTYVcYsmV0qgKyO7QFY/bkHkwce6kfDoet o36VYA9s72+vkrrGdpbwazyzPLDYWEHrPoC1CjK7/0T7IRNBJiOM7bRUu9hh9lU9at4VXr CitRuY3Fu9ZFXf1riGo8bwwXJexI9S6KOfzZzyXRAolk6tgob3fosSmLTSdSyx3dOqpxzr jLZkFKJHUB5pJhIX7mGwzBUgs66F4Oj3SG4jzMfagrWEdM1h0EtEy0fA3ij2eQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1617740545; a=rsa-sha256; cv=none; b=ZNcDXOn09kBDHknlRrkTdKBTluN2Ccu+Z5mwHu8snOC4aPGz2NLUGtJH2OKGeF5U3qaYo3 zUs37Slpm79cGKXKvTSBVdQ63b9xeQLAeV1ZJEd+UVQR08ZEqf4ZfEAqKvv1BZRA/wZfNt vxkekWmwSbleMVJWh7Nvv2CzbDivz9OlYwbkx1g1HkCRenBLNClwkb4/MMJ7Y/LtEbrLX7 URvu+XBLwrUbi+uae0fZDTL7QTQGUo3hyO3apXi8l2tKnyT/HJ59+MbYzNreV1AhKurgWS ytqFc+Y5kVAQY8JMqJ0WTEaardKGVbTZWayKERH+pHKByCmZ4GmLsv/+I1U4Hw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-21:09.pf X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 20:22:25 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-21:09.pf Errata Notice The FreeBSD Project Topic: net.pf.request_maxcount not settable from loader.conf(5) Category: core Module: pf Announced: 2021-04-06 Affects: FreeBSD 12.2 Corrected: 2020-12-15 08:29:45 UTC (stable/12, 12.2-STABLE) 2021-04-06 19:21:24 UTC (releng/12.2, 12.2-RELEASE-p6) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. II. Problem Description The net.pf.request_maxcount sysctl provides an upper bound on the amount of memory used by pf(4) to store various types of state. Prior to FreeBSD 12.2 this sysctl was read-only and could only be adjusted via loader.conf(5). In FreeBSD 12.2, the sysctl was made writeable, but lost the ability to be adjusted from loader.conf(5). III. Impact pf(4) may fail to load filtering rules if they cause the default request_maxcount bound to be exceeded. Users that relied on loader.conf to increase the request_maxcount value could see their rules fail to load. IV. Workaround The value of request_maxcount may be set via sysctl.conf(5). V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-21:09/pf.patch # fetch https://security.FreeBSD.org/patches/EN-21:09/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r368656 releng/12.2/ r369554 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswB8ACgkQ05eS9J6n 5cLYFw//fkTpjSXiflCHENinkk3u72W8Pxw4vvhDl9DBSHUdYi+fzB6t70xxUcnH wsjJcyMe1nqU7BVYFYo+aIkDL2yeW+PlJVrVfLcuWn8OwX7R0WbCM13EF75WZmlM Ty6YWPZkqYAWc0lbBYWiEtW+f6m5FTgdlvsXnTBENiz3iX2ddNkFK+qcEY9sasiJ HjsIoM1bs41YAgiOByyuh1xqMr+ieB4QQQ3QAbBmkqqPqBu1Nk0Xcpmos0sBf6Sn dSPDBMcKfJ4VelSGBnn98bXjjyLeiwbfBhNceCbI8eIgulTWboMJHg9XoUWMwWhJ 314OOq0D0CssWj9136dKLxQc+gWyu5xfszenfbA1k9rrFY5uKOBVUMgK8b9meWfH WX1CscDTYe4wCp/YpT/oU31PJfm0foFNWnOel7hDrlNwe0t+ElVX56xyy19BLQ/9 tgZ1CIZv6IihMxxBDnayU/SUVB5bJxfwHXZb845xjKB+owNYaw5pwHhEgLYWklAL A6a6Lja5dzVn1KsrHfUb11KEzWvUvtqp0y6vaZv6UTSLI9FfaSL/xA6uy3Ft/r/E OvD0qL/ShKmA/jvLG6vxJe0XQjU9JMI/FViPrs4YLCpFymRXthokoXoD1FyK6Hgn aMBdWTVEGHuQFG37OZIxr7AvefR0d3MXPbReXVKnn367VdbZ1lw= =7QHR -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Tue Apr 6 20:22:29 2021 Return-Path: Delivered-To: freebsd-announce@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ED6D95B7F03 for ; Tue, 6 Apr 2021 20:22:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FFJq96MNNz4ls2; Tue, 6 Apr 2021 20:22:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740549; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Hxx5z0UaO9r2SObboDqu8IHJ9Mbqn4eC2KNXbeBsysM=; b=xBZ2r/1JjB7dizFRV6m9TQ1PSwhybGslZoIPX8+zfvFSvuRBHoJruuDohn3tA+10h8EW3/ ZUflAmP1MJhsEG56uc0NUomnY+YkT4VGPDcheYD+PyocDU0VrWHCDO4rMhnqOJz3WNjVP1 wgWkLlmE+HnQmdXET0uvVlKecwDWrPi87t8XiqkVwdy9CNWAME35JJRWlM/yd6vvR2MtjK NsejpY5qQbfrZjymmtpOjWCxdXRYTz7VK7PyMyjDXtBsO9kqA5N5WV46ri2WrMopqMotn2 2QInl+KKXoiXzvEUW2lXIkSJR44PgjIJvdmfCUq8kkZlU5ylOXnFCSYMYaP98A== Received: by freefall.freebsd.org (Postfix, from userid 945) id C87CF15C89; Tue, 6 Apr 2021 20:22:29 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20210406202229.C87CF15C89@freefall.freebsd.org> Date: Tue, 6 Apr 2021 20:22:29 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740549; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Hxx5z0UaO9r2SObboDqu8IHJ9Mbqn4eC2KNXbeBsysM=; b=J+kb5dNb0JhIAKuIwE382T9pV6iejxllGAgnR99Lk1IkIBhJ5yrH4WYzD7lFimEA7jj4w9 gCA7KcUKRIxe1b1jco46GQ41RqgBa+DwJSbcwlrfVHd08T9Zg+rAkUn06rGLBIcw3WgHrS cI2xW+60TcPtAjnFE90GpaMF2yGshXXq1hV3fdEfda58c31rZhaqlJyAWTDDedbMwYP4Aj g5qhu5qOp0hZMY3MppDTQKiXVbU+uoUA4qcKlB+x/7BCJTKmAumEeyWgW+pJ26RIqwE90q h8YhcoI4DnleuyOV+pbnLtH4E6+BODI/kUaJQVd9xRSohhTHluitUAAHPv3zFQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1617740549; a=rsa-sha256; cv=none; b=VPfvjwlxvSnxo3nDAKN0nEFiSnf1pcSscecDuHBX9BCvOAHHirKz5wY6Gv9Pt0JKAmJY2r wsdG9XqGUhqdhUUg9oH30onS9CKFAXQyQXy2qlzaOE/+VFfxVFQCfcoKDx+/n8Hcz/sFOZ ntwcNQuLJNVR7ax+HaInPhUP4Oidi3XL8JQcXeuQLij6IiDCYn1enOeZ6u6p3ltf0VXLhp K7fb6NnnboQD24+8nLRcyx61XSk0zYkljPmC2F2H79CikPZKUCgDF4xSl1XZmWWmrBbRJH EoSNPGUeAuzFb0r1OmAt+Lxqzdmv6ol9AAziVvKPxdAZ+W9M92/ypTixR33cRA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-21:10.lldb X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 20:22:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-21:10.lldb Errata Notice The FreeBSD Project Topic: lldb abort on print command Category: contrib Module: lldb Announced: 2021-04-06 Affects: FreeBSD 12.2 Corrected: 2020-10-31 18:42:03 UTC (stable/12, 12.2-STABLE) 2021-04-06 19:21:27 UTC (releng/12.2, 12.2-RELEASE-p6) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background lldb is the debugger from the LLVM project. Version 10.0.1 is included in FreeBSD 12.2. II. Problem Description Attempts to use lldb's `print` command (`p` alias) resulted in lldb aborting. III. Impact Some common debugger functionality cannot be used. IV. Workaround No general workaround is available. Information provided by certain print expressions may be available by using other commands, such as `frame variable` (`fr v` alias). V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-21:10/lldb.patch # fetch https://security.FreeBSD.org/patches/EN-21:10/lldb.patch.asc # gpg --verify lldb.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r367228 releng/12.2/ r369555 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswDUACgkQ05eS9J6n 5cL7iRAAnlsryVy3aJFQIMghO7+rOwwpFnxlDponVvzIkeNH2x3c62V81eAhUIvj q6TvEp2dNQdaTDoN6ytPoL+ek4sBh8WdVt0R8sWnUbEDf1BhvGQ3P9eT4q8Thx+Z wB3L40pLQZFapINmpEIp7xwcWJv8xiKxmY2PDOcNkju5GWD4OatoMuCx5iMNwQ+g 7aYUL1gUhvcudSMghJ+jH6Pre2Yq+y+ziAhmGB0QOREOEoguXvJwgdO+clZHdFl2 E1Yudhfr0v6afQFL9RzX+Ck6ft9KBPd9rzZwc2bTHfi08zmAy63FN3Bxvx/8O/EJ 9NXRJHv0zuVSOZePKJ6qv1ap5f7RLzLN7ztaUQMCxkqCoRsdV3UYsUCkE8NH/ZOT NZ7zZCmL7zHpn17QX7tBqqYeAHtFJLAlXaBiSIxYOaKM87GMMmvpb+06f9frwtuu lOxzY0l7H+iWsSakdsoUrtL+wNvOM3wFafHtDSXDyHbSUKWiWa3yubzl8szIgCrX GhW84r3MdaVSm3EQQS2qQux+9HTLcx5Lh0+BVmeA36VBwNeG+wc8t5eZYc4xSlJh jIv2CRPm97e5796O5gGtjqyiidSL2lfw9tHE3H/1gqn/2DLNFbM+DcwgI20Wfz4u hdhN//GsIDiOA9BwClgIW6Vbs/V5B9uN8E/RH4lFggmJAkkPWGU= =boNk -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Tue Apr 6 20:22:58 2021 Return-Path: Delivered-To: freebsd-announce@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3D0FA5B7F26 for ; Tue, 6 Apr 2021 20:22:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FFJqk0zsLz4mQC; Tue, 6 Apr 2021 20:22:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740578; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=kbW6A4afUkFferrB8F8Jh7KYshQkn2d6KLouF+QowWI=; b=u/GTKdYkuSoQE6+X5DQ9m8NoSqio1Y1sscEAg2FaiFfYQ1cRg5v0BTZw4wrMGm/6qEnOYD JKRHUnyHx8mjnhvP5Pzm6Ordxatey5s1NOZoPrfQHMFe3/QS4bLokzQK25RgEFxnFQ5bmc 3CEQWPDaZzQEYMqIGuvC5607HnYgcxzYuta5pKVTy8GUNrsutNX/Fpo0fG0TmuOxU4ulV6 oGjlijIj/dpeJ8aYbIiaGSFFM0AHyeb1nKeipTK5W34bNZv/Zzgb/uGwCRQ4KjSNfLxKRn 3rg3vBW8cF7FoeQmdAaFfLh8N6Otqj2+bGoVbNYBlOaK+fZA+d+C8uZ6SOjR1Q== Received: by freefall.freebsd.org (Postfix, from userid 945) id 120BC15B79; Tue, 6 Apr 2021 20:22:58 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210406202258.120BC15B79@freefall.freebsd.org> Date: Tue, 6 Apr 2021 20:22:58 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740578; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=kbW6A4afUkFferrB8F8Jh7KYshQkn2d6KLouF+QowWI=; b=phot4S6+zjWXhI9W3CzC2gKC/p3EwAU1LZb+DHueJX5kWvtde+z+ySqcBHmb+Kt0b4k1DS 0PXwnHbwh7fZWsrhr+B15QInNsyX//BIVxLVANWyGizXdEiba1RD2l/AMwZvyKwDTwDpB3 TeUmZP1Q6Nqqs5FdlODvRGvIDxUyyDEkmtvbqdlXTIePRdQXnL7SIQ67wfUXDpWRZn6Fl6 XW5eT4jlQ8350NR8PjuYGsutZ1ERmpKNNxP4SVjR6KALHNYc9f8gtBMw6rt/Bzfpnp1u2N ZCToeTPCcOHZtQfzl/O57ek352Z+PpGqCs+y8F6dD9+bMSEXUiFmgyhHbf1W0Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1617740578; a=rsa-sha256; cv=none; b=KER3TFkyoW5i9Oi7ilzHzMfWoDf6bExg+/5NdR7PcB5XRLXC1r3EHd5E2FwT228TVSjp4t 100ARqnPVt7nb3u7gnZ2cyg/VK81Nhei9LEtPfBIYJ7I2ovno2Smp6vllOJKYQaBSU4oVk aR2+RooFB/w/VjZlZ8uepabI0+oOxjj540r780q2aTMvpjWb+7U+LXkUmsd+Bk1OhewfcM oAhRIfRsCjrFilfxGuI+WDB0zYJxiVmHeUIUJjOfO+m9a8tFGEYzh4ZM0J1GcQwFa+S5Ks NTE+D2ZCUUSOG1nlh+e0+qXHaTrq2vx2w4fxIL8Rfgd4fSxTNuwCrkDYYz7lAQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-21:08.vm X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 20:22:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:08.vm Security Advisory The FreeBSD Project Topic: Memory disclosure by stale virtual memory mapping Category: core Module: vm Announced: 2021-04-06 Credits: Ryan Libby, Dell Inc. Affects: All supported versions of FreeBSD. Corrected: 2021-04-06 18:50:46 UTC (stable/13, 13.0-STABLE) 2021-04-06 19:18:49 UTC (releng/13.0, 13.0-RC5-p1) 2021-04-06 19:20:46 UTC (stable/12, 12.2-STABLE) 2021-04-06 19:21:30 UTC (releng/12.2, 12.2-RELEASE-p6) 2021-04-06 19:22:31 UTC (stable/11, 11.4-STABLE) 2021-04-06 19:22:56 UTC (releng/11.4, 11.4-RELEASE-p9) CVE Name: CVE-2021-29626 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Memory mappings shared between processes are a feature of the FreeBSD virtual memory system. They may be established by unprivileged processes with the mmap(2), fork(2), and other system calls. II. Problem Description A particular case of memory sharing is mishandled in the virtual memory system. It is possible and legal to establish a relationship where multiple descendant processes share a mapping which shadows memory of an ancestor process. In this scenario, when one process modifies memory through such a mapping, the copy-on-write logic fails to invalidate other mappings of the source page. These stale mappings may remain even after the mapped pages have been reused for another purpose. III. Impact An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.0] # fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.13.patch # fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.13.patch.asc # gpg --verify vm_fault.13.patch.asc [FreeBSD 12.2] # fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.12.patch # fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.12.patch.asc # gpg --verify vm_fault.12.patch.asc [FreeBSD 11.4] # fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.11.patch # fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.11.patch.asc # gpg --verify vm_fault.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 2e08308d62f3 stable/13-n245117 releng/13.0/ 724bc23da1a9 releng/13.0-n244728 stable/12/ r369551 releng/12.2/ r369556 stable/11/ r369559 releng/11.4/ r369561 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing HHHHHH with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveMACgkQ05eS9J6n 5cJ0Xw/+JFP6UKPMxcYwmAmIoDS5YAsUzuDVQNooZzOQiltyVqPrHD3Dh/32+Tm3 W6yeITNcnUbVhFBPli3x0pHldCCcj1JQNtzUYcS/DKNvD2LxjB4bhiiE0YHImaP9 JWOMoc5rNYpOl4iKK5DZkQAxZsHu1zFSVt+0O/aL70bDCYupsslWBbRRkxgkeShW wGFhSMhlJ1QnnygzsICbyK5GP4XYqfAWZ5dviznNcZLrOifCLG6HNxixfOG/vf33 yZzwA7RSNpOyULC1AYmUqiEZWgABL63hOIiraD0sASteBhMY/DCjq/QLZKsaONsp FYemSTnW1hs1MVfTm4ecwgZJEJf8bV7cQXrxA3bLJmRoN9CcTGHDQCjFKHvMVXSe qU/n+CICO6Ly8nTmL0xYjpJLEQaQfC/98hXk2otpgIia8r5Gn1MOwooTdN+KWlfA LHzuP0Wf5NIjo1QkbbBRUSfCjV+dbGzRxgCYTGj1dN+XbR0uxeVtWeKXU3WaDIYI 6sT3L41yUBvEce7h/449RunNjRb5nuWczh3YTIzqDA3dEStLPKxlzL790M8TId6e XE+YclkxSTNMuxvCEw/vDJB4bZ2eOQ6noSzfrUqxjGnbtcuYP/RJGc3XrVZpiXbY u+OuE4Owve9e/sNCRqZeEQ2CHnntCdji0sk/CAlbkHcdHYPbunI= =rC4V -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Tue Apr 6 20:23:03 2021 Return-Path: Delivered-To: freebsd-announce@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 758745B8004 for ; Tue, 6 Apr 2021 20:23:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FFJqq2LM1z4mJF; Tue, 6 Apr 2021 20:23:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740583; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=aKPBCAdH58TZbfUz8JJC1SuwaaFIQwWNCbZtbNJCSJ0=; b=jmMsy5WmyBQrFHwF0B8gNZBfUrsl26QJIGAIGr1fXoPn7NezVlvmUAsCs3O9g/7g5r15N3 IAUKHeAxgFMEWEuAbHjZZLjbMI22jVHP9DNS4EbhUl1nvubTcNisQ38g/BQ/6PQXfmd3n2 37xBR6Th1CYVbX8GTPQ6LmEFD0xf0CGTZVoQA34wMjsU1tAUUtgzX1hw980km4hMd4mh6H frnGI/OxsEeKiJtxqi0lsHmWOeDSBMUmnM6GrBXE7s3cPochzYNwbTvLt4xGYN9oaVO4Ia jPBdWvv32g6r4suZE7ELYCvcS+IwtVCwcaMFhHFGlvsUMn8sVaxjh4w+ZuTVCg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 35F6815E1C; Tue, 6 Apr 2021 20:23:03 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210406202303.35F6815E1C@freefall.freebsd.org> Date: Tue, 6 Apr 2021 20:23:03 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740583; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=aKPBCAdH58TZbfUz8JJC1SuwaaFIQwWNCbZtbNJCSJ0=; b=U/y38rSUPiKAxxsGecQU+f6Op6hN9XrFX7eBsDLvLta/kmuTRJC0HYA0I4XA9XE7RhzQG1 irTPlbvGR98qMhyNX2JiYKG1CRFe4fx2yzIsUQk2NLHwfRyXBtepB3pVpl5jmkNFJdkm3z yesSTB/BOYHOarBgWImrPxC+vZcI0FXNjt2KbanGt29ocy8lzPtbE1Dah8RYECqNALAR3I 6k5rFdU0eR3r+qN1rPfiwTHJnCOagK1rOXwq4rQUL59p+z6eahuz+M9P5Hca45LC/1ijyl zjccwvdeJ/U1wIdR+rZcKinHrEPfeQIkg3yiQnvskiz+W6sb5JBd3cQnRzOWvw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1617740583; a=rsa-sha256; cv=none; b=YTclTJoe3Kd0yAxHe+Izzmpna1TfHUq2QapcV16JfkdeoQ/j5lVRjPJIgji6XTWhj6GIlp y/J52/naRVGdxWa5qA2oPKETLrWP8sQXdXXcWOLL4ITqA5fWjSf0ADlsoCAP9dGklp3v9A BwijshZqjZDtZACvDjJDi8EPLxqH/qwXxOW96SHX4pI+tVqUHGpOaoYd0NmNFRz2hy+nLr jR4XSz4plbW4YM9+L507jchH1hKp5NuR9bcq6bjBmT03OLxL1OV0G1W1XBF2nxjV+RpDRY Dl4QQfjZim2ZhzPY17DhbfYGcrYyNW0sQB7OILFNpEUG1X7fUurkUoQoWNn41g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-21:09.accept_filter X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 20:23:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:09.accept_filter Security Advisory The FreeBSD Project Topic: double free in accept_filter(9) socket configuration interface Category: core Module: accept_filter Announced: 2021-04-06 Credits: Alexey Kulaev Affects: FreeBSD 12.2 and later. Corrected: 2021-03-28 00:24:15 UTC (stable/13, 13.0-STABLE) 2021-03-28 15:03:37 UTC (releng/13.0, 13.0-RC4) 2021-03-28 00:26:49 UTC (stable/12, 12.2-STABLE) 2021-04-06 19:21:21 UTC (releng/12.2, 12.2-RELEASE-p6) CVE Name: CVE-2021-29627 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD features an accept_filter(9) mechanism which allows an application to request that the kernel pre-process incoming connections. For example, the accf_http(9) accept filter prevents accept(2) from returning until a full HTTP request has been buffered. No accept filters are enabled by default. A system administrator must either compile the FreeBSD kernel with a particular accept filter option (such as ACCEPT_FILTER_HTTP) or load the filter using kldload(8) in order to utilize accept filters. II. Problem Description An unprivileged process can configure an accept filter on a listening socket. This is done using the setsockopt(2) system call. The process supplies the name of the accept filter which is to be attached to the socket, as well as a string containing filter-specific information. If the filter implements the accf_create callback, the socket option handler attempts to preserve the process-supplied argument string. A bug in the socket option handler caused this string to be freed prematurely, leaving a dangling pointer. Additional operations on the socket can turn this into a double free or a use-after-free. III. Impact The bug may be exploited to trigger local privilege escalation or kernel memory disclosure. IV. Workaround Systems not using accept filters, or using only the accept filters included with the FreeBSD base system (accf_data(9), accf_dns(9), and accf_http(9)) are unaffected. Note that no accept filters are loaded in the kernel by default. Systems using a third-party accept filter module are affected if the module defines an accf_create callback. In this case, the only workaround is to ensure that the module is not loaded into the kernel. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-21:09/accept_filter.patch # fetch https://security.FreeBSD.org/patches/SA-21:09/accept_filter.patch.asc # gpg --verify accept_filter.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ c7d10e7ec872 stable/13-n245050 releng/13.0/ af6611e5adc6 releng/13.0-n244711 stable/12/ r369525 releng/12.2/ r369553 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing HHHHHH with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveMACgkQ05eS9J6n 5cIfkA//bD0wm/rhdTUkyCeKhDCocFC/elfC+g7FsiG/eNJFh0mAiuTrC9Ja9+TN QU4xjZPx0kN6PxAgEzCqH2NgSL+MwW60ApxlH/kVhcFU/tOrUxmuFg8u9bk6/gU3 xRcpHzT5M4iFzrdyimbc9UvKHZet1Hh7CkIQwQZWvdrJYL3p+lODe3DpS9OUXcaJ S6eHGzMlTKQsV5m3vGEefRP1ByDNOT4w3q+w6s0K381ck8Y+k1SLQLLDZJuNR752 ixZdUg/oE82PIosoH8SXP8bHklRcHFsa6DmTLYGxxpKh9l++CyiytiQThUIlClfY 2KOKh1Y4ND5FU001g98OdikgfRJhf9mQIk4ytNyBjey3c/aBFtcJHzydrV5uPg4u SPvk59SEiRVZswQkR+kpXD8Maa7jkRTe6qbBhQ5+CiXEO/FWF108OVULn0saDycp NtGNa6Htichm+RWPeHnbCo5OwSW0wDHKUB2yP/EcCOkJtBPOBpL8r3iJSnk5ZsrH mTQeQzSrbzeD/pMOiEor6AIKjJoII2rWIT6v2RaofY5vb30kQl56/m7nrN1bm6n1 aatAsvJvFIaE6LVKkCpIkKaHEEmgOpf5/p4n2xia8i6xUc1BN14nq0xEaqGskesS bAe1TJZJnc6hHvdJVhuLxdT1CSStG56BrkJd2RtCAenwatJaRzQ= =UfpF -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Tue Apr 6 20:23:10 2021 Return-Path: Delivered-To: freebsd-announce@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B305E5B7FF5 for ; Tue, 6 Apr 2021 20:23:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FFJqy1qfFz4mJd; Tue, 6 Apr 2021 20:23:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740590; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3ugHiNMDVx1sSnq6LrSNw2DTv2SsgliYgpqOioa/rI0=; b=s6M7ys2oYKpPbF+6D0wFZdWSimWrOUa3VbnVUkYJAJBEdvgyODo7JqaXDvpeaM5Vkd1hPQ OEmKaZsVjaj/PltKuUVhA56CIrq275xNUeT64cwO9g/H3qc1/oE9rzyQOMEIqKBUslfySi AKlv2gXcWRy8/6qsJsW+9I6q3/bxYDcwtvTk7DKhRVHmFsPsk+iQ1YuTddJ7iWJU08QWLr WmDxYMfdqmSatR1YsG0Yf8QYrkJE1FTal8yZPwtCgm9GU/cIEKpJFcgPjTYiF64hElj8bc Nz7ASGGvHVi0uJhTR//gcL4wknyD0gxL+wHyo/JIeTMWdgqhpa3lcSKWd7wnuA== Received: by freefall.freebsd.org (Postfix, from userid 945) id EC32415CC4; Tue, 6 Apr 2021 20:23:09 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210406202309.EC32415CC4@freefall.freebsd.org> Date: Tue, 6 Apr 2021 20:23:09 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740590; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3ugHiNMDVx1sSnq6LrSNw2DTv2SsgliYgpqOioa/rI0=; b=qouap2IRJQasUcK3CKC1xPw1sHy+45Nl0qGjJzjH6K108GJPTj33l56/yltAVx2/4B+RCy ns7QEwe/tWaqHrNVBUfPutCxKH4jBeT0Hr/2HgWZcMDTHQOM7wMQpYmutkzJKjTpQFfVYO aUuq57LBEhxxRGSIm15Fi8Ivvvlsuz5hIPUQ8Omh2M3xM75rYA8V9dvQLwy7mPi3pFRYyq c28Lglm9nh9RsOofhtu66X1SQrBO49WF0G4thVygutyf9MfHmdETAb5PNkSQrfno+5USCG SmFTLdJzJTZbuvriT6JKloXQZRXMlK+Wuq9Y3HdsU0kodKsH6CA91TT0UINJ2w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1617740590; a=rsa-sha256; cv=none; b=gWbn+Gh30QSai1HZ/ji041g1/ff5EFqj/2LOouqf+ZDnOqgVWsnUFQ1hLARcPtS+dYc2fr NRqnKsGso8C+M8ST5K631jBNW481bpj4WMLQAWqq33on5cAAP76dGB1pDvN4rlQV4lhmIa fSuP4d58YtMurYzE6usmR5pPuOsmgUhLIaWSVXj5MtLa4//WGopgDaMKlty7ywZmU+u7tg Jy0ObBAIG10k+LPqG2QoCcH3JgMvF3HsTEQxbpNx2UMyHzTBMloSwHKSLzO8vPHgLjbXLi iNK09BMoLcWYgaZb8CkyiRzu8PypfSfuel0Nu2uldxRKq4yKBWqRNYRhl/HTGw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-21:10.jail_mount X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 20:23:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:10.jail_mount Security Advisory The FreeBSD Project Topic: jail escape possible by mounting over jail root Category: core Module: jail Announced: 2021-04-06 Credits: Mateusz Guzik Affects: All supported versions of FreeBSD. Corrected: 2021-04-06 18:50:48 UTC (stable/13, 13.0-STABLE) 2021-04-06 19:18:59 UTC (releng/13.0, 13.0-RC5-p1) 2021-04-06 19:20:50 UTC (stable/12, 12.2-STABLE) 2021-04-06 19:21:33 UTC (releng/12.2, 12.2-RELEASE-p6) 2021-04-06 19:22:31 UTC (stable/11, 11.4-STABLE) 2021-04-06 19:22:59 UTC (releng/11.4, 11.4-RELEASE-p9) CVE Name: CVE-2020-25584 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. II. Problem Description Due to a race condition between lookup of ".." and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail. III. Impact A process with superuser privileges running inside a jail configured with the allow.mount permission (not enabled by default) could change the root directory outside of the jail, and thus gain full read and write access to all files and directories in the system. IV. Workaround As a workaround, disable allow.mount permission for all jails with untrusted root users; see jail(1) and jail.conf(5) manual pages for details. Note that this permission is not enabled by default. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.0] # fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.13.patch # fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.13.patch.asc # gpg --verify jail_mount.13.patch.asc [FreeBSD 12.2] # fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.12.patch # fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.12.patch.asc # gpg --verify jail_mount.12.patch.asc [FreeBSD 11.4] # fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.11.patch # fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.11.patch.asc # gpg --verify jail_mount.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 3ae17faa3704 stable/13-n245118 releng/13.0/ 4710439ec594 releng/13.0-n244729 stable/12/ r369552 releng/12.2/ r369557 stable/11/ r369560 releng/11.4/ r369562 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing HHHHHH with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveQACgkQ05eS9J6n 5cIujRAAoTOIB1bMhDN3w382izu+g4L4HATqhOyKlf3Ezwlnmckt4s+ERar7EWND 4MayXSogCYwYwb6gsfBsqEdAJwhID1zkBDmC9LaYKehOLMMdPOCbpemJ3xT0540m S4MJ+vPBT2NZ8NsUGNNpIF/mZTgwDai4WSBCr/0OIyNDd+nzStOv0d8h3aNGNweW p/pvETnf/FtR9kACZ2HuiHtOx2IvQv8+n4gjefl440fz8czb3nftdGHRXLc0Kkcy T/l3Y0SgBvXmlhtmhGZmF787Bw/5No+fbKZ4AuTMms42OWz8y02ZjFCvwXEu7/tC f9eeFUzpR+rjNr0MMFEm1GBPNgbdF4v/IhnUA4gWrhjp1sh+4SjHoFhS1tfdY6gf W76eyT0B8oDOLK4Jo76iTjvN1sZ0wctOaq7yk+7rGbhSUFUohQmtsMbvGOfHIVxl DlJ9faccWJLOjbeUAVhVMbowT3/QKqnbuRpkq6U7YIcs9P4cg8RUrokCOiGd5pBz PD5zpNcRCe69c+d39XDGDiBjPm4mQK1VEOr90gcAlE5yioxUW6qlHkFrp/Mje6dX 25Sb1q1zwjn3rM1moIeRXmx+ioLAT9ZWpYs5IvKsuRw4VmppIjA6TWm8ECbjKQKG yPuUgUyxoIoEJgQNmJaM2Rk/fKijyVjEG22jlDNwCxASE4vJ7Xw= =g2On -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Fri Apr 9 14:11:57 2021 Return-Path: Delivered-To: freebsd-announce@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 74B5B5B9E93; Fri, 9 Apr 2021 14:11:57 +0000 (UTC) (envelope-from sparvu@kronometrix.org) Received: from mail.kronometrix.org (mail.kronometrix.org [79.134.105.182]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail.kronometrix.org", Issuer "mail.kronometrix.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FH0SD4Bklz4lfC; Fri, 9 Apr 2021 14:11:56 +0000 (UTC) (envelope-from sparvu@kronometrix.org) Received: from [192.168.1.151] (87-95-50-37.bb.dnainternet.fi [87.95.50.37]) (authenticated bits=0) by mail.kronometrix.org (8.16.1/8.15.2) with ESMTPSA id 139EBk6n092991 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 9 Apr 2021 14:11:47 GMT (envelope-from sparvu@kronometrix.org) X-Authentication-Warning: mail.kronometrix.org: Host 87-95-50-37.bb.dnainternet.fi [87.95.50.37] claimed to be [192.168.1.151] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) From: Stefan Parvu In-Reply-To: Date: Fri, 9 Apr 2021 17:11:41 +0300 Cc: FreeBSD Current , freebsd-arm , freebsd-announce@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: References: To: Ed Maste X-Mailer: Apple Mail (2.3654.60.0.2.21) X-Rspamd-Queue-Id: 4FH0SD4Bklz4lfC X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of sparvu@kronometrix.org designates 79.134.105.182 as permitted sender) smtp.mailfrom=sparvu@kronometrix.org X-Spamd-Result: default: False [-0.80 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; SPAMHAUS_ZRD(0.00)[79.134.105.182:from:127.0.2.255]; DMARC_NA(0.00)[kronometrix.org]; R_SPF_ALLOW(-0.20)[+a]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RBL_DBL_DONT_QUERY_IPS(0.00)[79.134.105.182:from]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:16302, ipnet:79.134.96.0/19, country:FI]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-announce,freebsd-arm,freebsd-current] X-Mailman-Approved-At: Fri, 09 Apr 2021 20:01:05 +0000 Subject: Re: [FreeBSD-Announce] FreeBSD/arm64 becoming Tier 1 in FreeBSD 13 X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2021 14:11:57 -0000 > FreeBSD will promote arm64 to a Tier 1 architecture in FreeBSD 13. > This means we will provide release images, binary packages, and > security and errata updates. While we anticipate there will be minor > issues with this first release, we believe the port is mature enough > that they can be resolved during the life of FreeBSD 13. 10 x thanks Stefan From owner-freebsd-announce@freebsd.org Fri Apr 9 13:23:36 2021 Return-Path: Delivered-To: freebsd-announce@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 841835B8458; Fri, 9 Apr 2021 13:23:36 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f178.google.com (mail-il1-f178.google.com [209.85.166.178]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGzNR5VB9z4jcR; Fri, 9 Apr 2021 13:23:35 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-il1-f178.google.com with SMTP id w2so4672834ilj.12; Fri, 09 Apr 2021 06:23:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=fb3BwVaRyYX0+BC6SufGRyjW8aOmdmXGnE6qtEaHXKQ=; b=aNLTVA4WRTaWoWbevyFLAaPFMYhlGLTy9ln4Ib/W5gid7SavbjMS0pUdBgBy/AkuCn TTT7j9LmMduDCLwaCQLkpjm+na8r8NYeNiR3ZcJRmIuGXh7veubO67HNADPHeIjElDlU amgd1W18lW9Fs2aOs+YhK5FmHTVqjXpDTcFeURTsXq4qGNqlvMZoxZgxeZUwnQ9gteDc EDoNdgNaKyLMcsssHTINy9k7AJ/9LMXjktGtNdx0Nj1LnQpXkAZPXzjFxjaK+9VnseNX qZRV81v0yyC4xgpHShvk7WPYie1/NT1+ZdRlucDQEU8rcM6mWsAZc9wm6ecAKlrizzrm 2n2Q== X-Gm-Message-State: AOAM532NjRvvE7wwgOAjPNZ2S7W36N0pUCxLEARfWx1i9xpzmG2ZUeSy TQ+THnFbbnbJU6zQGBmgjK6wsBH0JSUgJAr15gPpUNHq X-Google-Smtp-Source: ABdhPJxceFhxs5opZmL97Aj9EOP7d8Lw5ARx5jFGlZU9OHS5+wCrV97JGhNnnV/wFoYY+L19BEK8tJ8wXayICttymk4= X-Received: by 2002:a92:ad07:: with SMTP id w7mr9793897ilh.98.1617974613810; Fri, 09 Apr 2021 06:23:33 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Fri, 9 Apr 2021 09:23:13 -0400 Message-ID: To: FreeBSD Current , freebsd-arm , freebsd-announce@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4FGzNR5VB9z4jcR X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.178 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-1.00 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[209.85.166.178:from]; RCVD_COUNT_TWO(0.00)[2]; FREEFALL_USER(0.00)[carpeddiem]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; SPAMHAUS_ZRD(0.00)[209.85.166.178:from:127.0.2.255]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_SPAM_SHORT(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.178:from]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.178:from]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; MIME_TRACE(0.00)[0:+]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; MAILMAN_DEST(0.00)[freebsd-current,freebsd-arm,freebsd-announce] X-Mailman-Approved-At: Fri, 09 Apr 2021 20:00:57 +0000 Subject: [FreeBSD-Announce] FreeBSD/arm64 becoming Tier 1 in FreeBSD 13 X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2021 13:23:36 -0000 Summary FreeBSD will promote arm64 to a Tier 1 architecture in FreeBSD 13. This means we will provide release images, binary packages, and security and errata updates. While we anticipate there will be minor issues with this first release, we believe the port is mature enough that they can be resolved during the life of FreeBSD 13. Details Development efforts on FreeBSD/arm64 (also known as AArch64) started in 2014, with generous financial and technical support from Arm, Cavium and the FreeBSD Foundation. FreeBSD 11.0 arrived in October 2016 as the first release with support for the architecture. Improvements to the kernel, tool chain, userland, and ports and package infrastructure have been ongoing since that time, with improvements arriving in each minor and major release. The FreeBSD base system is ready for the promotion of arm64 to Tier 1, and the Release Engineering, Security, and Ports teams are prepared to support the Tier 1 requirements for arm64. Security updates via freebsd-update now include arm64 support (starting with the FreeBSD 13.0 release candidates). Required ports infrastructure is in place for arm64 and most ports build successfully. The project now has several Ampere eMAG systems acting as package build servers. These machines were obtained through a combination of FreeBSD Foundation purchases and generous donations from Ampere. To support port maintainers who do not have access to arm64 hardware we will be improving ports CI and testing resources (and this effort will benefit all architectures). We will also be suggesting one or more low-cost reference platforms for FreeBSD/arm64. The guarantees included in Tier 1 status are described in https://docs.freebsd.org/en_US.ISO8859-1/articles/committers-guide/archs.ht= ml In particular, for Tier 1 architectures the project provides release images, binary package sets, and binary and source updates for Security Advisories and Errata Notices. The AArch64 ecosystem=E2=80=99s maturity ensures follow on generations of hardware. The diversity of offerings, as well as the multiple generations of hardware shows that the FreeBSD project will benefit from adding support for this platform. The growth trajectory suggests this will be a significant portion of the market in the coming years, and FreeBSD will benefit from tapping into this market with this Tier 1 platform. (on behalf of core)