From owner-svn-src-releng@FreeBSD.ORG Fri Jul 26 22:40:18 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id BF268FC6; Fri, 26 Jul 2013 22:40:18 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 91A4A245C; Fri, 26 Jul 2013 22:40:18 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r6QMeIIe062259; Fri, 26 Jul 2013 22:40:18 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r6QMeIQg062255; Fri, 26 Jul 2013 22:40:18 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201307262240.r6QMeIQg062255@svn.freebsd.org> From: Xin LI Date: Fri, 26 Jul 2013 22:40:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r253692 - head/contrib/bind9/lib/dns/rdata/generic releng/8.4 releng/8.4/contrib/bind9/lib/dns/rdata/generic releng/8.4/sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jul 2013 22:40:18 -0000 Author: delphij Date: Fri Jul 26 22:40:17 2013 New Revision: 253692 URL: http://svnweb.freebsd.org/changeset/base/253692 Log: Fix Denial of Service vulnerability in named(8). [13:07] Security: CVE-2013-4854 Security: FreeBSD-SA-13:07.bind Approved by: so Modified: releng/8.4/UPDATING releng/8.4/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c releng/8.4/sys/conf/newvers.sh Changes in other areas also in this revision: Modified: head/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c Modified: releng/8.4/UPDATING ============================================================================== --- releng/8.4/UPDATING Fri Jul 26 22:04:11 2013 (r253691) +++ releng/8.4/UPDATING Fri Jul 26 22:40:17 2013 (r253692) @@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20130726: p2 FreeBSD-SA-13:07.bind + Fix Denial of Service vulnerability in named(8). + 20130628: p1 FreeBSD-EN-13:01.fxp FreeBSD-EN-13:02.vtnet Fix a problem where dhclient(8) utility tries to initilaize an Modified: releng/8.4/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c ============================================================================== --- releng/8.4/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c Fri Jul 26 22:04:11 2013 (r253691) +++ releng/8.4/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c Fri Jul 26 22:40:17 2013 (r253692) @@ -176,7 +176,7 @@ fromwire_keydata(ARGS_FROMWIRE) { UNUSED(options); isc_buffer_activeregion(source, &sr); - if (sr.length < 4) + if (sr.length < 16) return (ISC_R_UNEXPECTEDEND); isc_buffer_forward(source, sr.length); Modified: releng/8.4/sys/conf/newvers.sh ============================================================================== --- releng/8.4/sys/conf/newvers.sh Fri Jul 26 22:04:11 2013 (r253691) +++ releng/8.4/sys/conf/newvers.sh Fri Jul 26 22:40:17 2013 (r253692) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.4" -BRANCH="RELEASE-p1" +BRANCH="RELEASE-p2" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-releng@FreeBSD.ORG Fri Jul 26 22:40:24 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id CA5EDFDE; Fri, 26 Jul 2013 22:40:24 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A37E5245D; Fri, 26 Jul 2013 22:40:24 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r6QMeOFo062323; Fri, 26 Jul 2013 22:40:24 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r6QMeNc0062316; Fri, 26 Jul 2013 22:40:23 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201307262240.r6QMeNc0062316@svn.freebsd.org> From: Xin LI Date: Fri, 26 Jul 2013 22:40:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r253693 - in releng/9.1: . contrib/bind9/lib/dns/rdata/generic sys/conf sys/kern X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jul 2013 22:40:25 -0000 Author: delphij Date: Fri Jul 26 22:40:23 2013 New Revision: 253693 URL: http://svnweb.freebsd.org/changeset/base/253693 Log: Fix Denial of Service vulnerability in named(8). [13:07] Fix a bug that allows remote client bypass the normal access checks when when -network or -host restrictions are used at the same time with -mapall. [13:08] Security: CVE-2013-4854 Security: FreeBSD-SA-13:07.bind Security: CVE-2013-4851 Security: FreeBSD-SA-13:08.nfsserver Approved by: so Modified: releng/9.1/UPDATING releng/9.1/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c releng/9.1/sys/conf/newvers.sh releng/9.1/sys/kern/vfs_export.c Modified: releng/9.1/UPDATING ============================================================================== --- releng/9.1/UPDATING Fri Jul 26 22:40:17 2013 (r253692) +++ releng/9.1/UPDATING Fri Jul 26 22:40:23 2013 (r253693) @@ -9,6 +9,13 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20130726: p5 FreeBSD-SA-13:07.bind FreeBSD-SA-13:08.nfsserver + Fix Denial of Service vulnerability in named(8). [13:07] + + Fix a bug that allows remote client bypass the normal + access checks when when -network or -host restrictions are + used at the same time with -mapall. [13:08] + 20130618: p4 FreeBSD-SA-13:06.mmap Fix a bug that allowed a tracing process (e.g. gdb) to write to a memory-mapped file in the traced process's address space Modified: releng/9.1/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c ============================================================================== --- releng/9.1/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c Fri Jul 26 22:40:17 2013 (r253692) +++ releng/9.1/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c Fri Jul 26 22:40:23 2013 (r253693) @@ -176,7 +176,7 @@ fromwire_keydata(ARGS_FROMWIRE) { UNUSED(options); isc_buffer_activeregion(source, &sr); - if (sr.length < 4) + if (sr.length < 16) return (ISC_R_UNEXPECTEDEND); isc_buffer_forward(source, sr.length); Modified: releng/9.1/sys/conf/newvers.sh ============================================================================== --- releng/9.1/sys/conf/newvers.sh Fri Jul 26 22:40:17 2013 (r253692) +++ releng/9.1/sys/conf/newvers.sh Fri Jul 26 22:40:23 2013 (r253693) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.1" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.1/sys/kern/vfs_export.c ============================================================================== --- releng/9.1/sys/kern/vfs_export.c Fri Jul 26 22:40:17 2013 (r253692) +++ releng/9.1/sys/kern/vfs_export.c Fri Jul 26 22:40:23 2013 (r253693) @@ -208,7 +208,7 @@ vfs_hang_addrlist(struct mount *mp, stru np->netc_anon = crget(); np->netc_anon->cr_uid = argp->ex_anon.cr_uid; crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups, - np->netc_anon->cr_groups); + argp->ex_anon.cr_groups); np->netc_anon->cr_prison = &prison0; prison_hold(np->netc_anon->cr_prison); np->netc_numsecflavors = argp->ex_numsecflavors; From owner-svn-src-releng@FreeBSD.ORG Fri Jul 26 22:40:29 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id E349674; Fri, 26 Jul 2013 22:40:29 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D0F6B2462; Fri, 26 Jul 2013 22:40:29 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r6QMeT8O062387; Fri, 26 Jul 2013 22:40:29 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r6QMeT0Y062385; Fri, 26 Jul 2013 22:40:29 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201307262240.r6QMeT0Y062385@svn.freebsd.org> From: Xin LI Date: Fri, 26 Jul 2013 22:40:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r253694 - in releng/8.3: . sys/kern X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jul 2013 22:40:30 -0000 Author: delphij Date: Fri Jul 26 22:40:29 2013 New Revision: 253694 URL: http://svnweb.freebsd.org/changeset/base/253694 Log: Fix a bug that allows remote client bypass the normal access checks when when -network or -host restrictions are used at the same time with -mapall. [13:08] Security: CVE-2013-4851 Security: FreeBSD-SA-13:08.nfsserver Approved by: so Modified: releng/8.3/UPDATING releng/8.3/sys/kern/vfs_export.c Modified: releng/8.3/UPDATING ============================================================================== --- releng/8.3/UPDATING Fri Jul 26 22:40:23 2013 (r253693) +++ releng/8.3/UPDATING Fri Jul 26 22:40:29 2013 (r253694) @@ -15,6 +15,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20130429: p9 FreeBSD-SA-13:08.nfsserver + Fix a bug that allows remote client bypass the normal + access checks when when -network or -host restrictions are + used at the same time with -mapall. + 20130429: p8 FreeBSD-SA-13:05.nfsserver Fix a bug that allows NFS clients to issue READDIR on files. Modified: releng/8.3/sys/kern/vfs_export.c ============================================================================== --- releng/8.3/sys/kern/vfs_export.c Fri Jul 26 22:40:23 2013 (r253693) +++ releng/8.3/sys/kern/vfs_export.c Fri Jul 26 22:40:29 2013 (r253694) @@ -208,7 +208,7 @@ vfs_hang_addrlist(struct mount *mp, stru np->netc_anon = crget(); np->netc_anon->cr_uid = argp->ex_anon.cr_uid; crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups, - np->netc_anon->cr_groups); + argp->ex_anon.cr_groups); np->netc_anon->cr_prison = &prison0; prison_hold(np->netc_anon->cr_prison); np->netc_numsecflavors = argp->ex_numsecflavors;