Date: Thu, 10 Aug 2017 07:14:48 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r50656 - in head/share: security/advisories security/patches/EN-17:07 security/patches/EN-17:08 security/patches/SA-17:06 xml Message-ID: <201708100714.v7A7EmSq054134@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Thu Aug 10 07:14:48 2017 New Revision: 50656 URL: https://svnweb.freebsd.org/changeset/doc/50656 Log: Add SA-17:06, EN-17:07 and EN-17:08. Added: head/share/security/advisories/FreeBSD-EN-17:07.vnet.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-17:08.pf.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-17:06.openssh.asc (contents, props changed) head/share/security/patches/EN-17:07/ head/share/security/patches/EN-17:07/vnet.patch (contents, props changed) head/share/security/patches/EN-17:07/vnet.patch.asc (contents, props changed) head/share/security/patches/EN-17:08/ head/share/security/patches/EN-17:08/pf.patch (contents, props changed) head/share/security/patches/EN-17:08/pf.patch.asc (contents, props changed) head/share/security/patches/SA-17:06/ head/share/security/patches/SA-17:06/openssh.patch (contents, props changed) head/share/security/patches/SA-17:06/openssh.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-17:07.vnet.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-17:07.vnet.asc Thu Aug 10 07:14:48 2017 (r50656) @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-17:07.vnet Errata Notice + The FreeBSD Project + +Topic: VNET kernel panic with asynchronous I/O + +Category: core +Module: kernel +Announced: 2017-08-10 +Credits: Kristof Provost +Affects: FreeBSD 11.0 and later. +Corrected: 2017-07-28 18:09:41 UTC (stable/11, 11.1-STABLE) + 2017-08-10 06:59:07 UTC (releng/11.1, 11.1-RELEASE-p1) + 2017-08-10 06:59:26 UTC (releng/11.0, 11.0-RELEASE-p12) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +POSIX asynchronous I/O permits applications to request asynchronous +completion of I/O requests. VNET permits systems to be configured +with multiple instances of the in-kernel network stack. + +II. Problem Description + +The implementation of POSIX asynchronous I/O for sockets completes I/O +requests in a pool of dedicated worker threads. The VNET feature requires +threads to explicitly select an active instance of the network stack before +performing network operations. The function used to complete asynchronous +I/O requests was not setting a network stack instance before completing I/O +requests. + +III. Impact + +Using POSIX asynchronous I/O with sockets in a VNET-enabled kernel will +panic. + +IV. Workaround + +No workaround is available, but systems that do not enable VNET via a +custom kernel are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Recompile any custom kernel configs using VNET. + +Afterward, reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-17:07/vnet.patch +# fetch https://security.FreeBSD.org/patches/EN-17:07/vnet.patch.asc +# gpg --verify vnet.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r321657 +releng/11.0/ r322343 +releng/11.1/ r322342 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-17:07.vnet.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.21 (FreeBSD) + +iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlmMBgEACgkQ7Wfs1l3P +audTDg//WDiH3PoHyr5YmcG4tUwgPFgodV8zUDrURGoLI2DIUwX/RPdsOhHFRIJG +K7ueneJWZDN2IGzNjzrzXAyz30emOhp2AjHwRivqsl0JJ3YWt2IWMge0+FI3RIzp +56+/gmCuTCsCOUxHxuuvN7v14d7WBVLUfouKV09E6wNWcbwiy1i+hjEEFbjbBIcR +XRJJ+iePreq4XWJAyBTRYme24NWk4MUdYZjdprfkGURDycKvlmVqTnafR7RIP9zw +2duCA5iOen50qShxtNm9z5OSlH1ORCh7DIhFmrdiNGQnNNDbAWU1pglSEWUCYtyn +8WrWLKKqfbfYhVveEWalnN4iLAuvgrlq6bTxQ8zecwtj/VYZd1zXABUpZpDOqUB5 +yrNY7A/5opwkBgkv33zG/Ll141UdgCEkWWZm+eFIuX21UIdJmScKoTtGUyC/jldw +yS724uwVfpxRqHf84Th4iYOk1gegpA0vEnhO5Eh8ZSfONXhydQxNQM3D1wI7MkA2 +rKH+UBucOnczPmSFT/GgO9B3iyXQl8nQR/Ff6VdmBEu56vW1sb0a1HYMOWZUfJxK ++SyZ4mMAtyrceHV1I1Z5Lqk3g8rKnS6l6/QzRCIanXZPMx2oohsSFik06taIYE62 +CbuUO6RcXZdTEk6nBFGhuFVew6xjvHXgEIpZ6g3tjrZ/Qqspt/0= +=XzXx +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-17:08.pf.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-17:08.pf.asc Thu Aug 10 07:14:48 2017 (r50656) @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-17:08.pf Errata Notice + The FreeBSD Project + +Topic: pf(4) housekeeping thread causes kernel panic + +Category: core +Module: pf +Announced: 2017-08-10 +Credits: Kristof Provost, VinÃcius Zavam, Paul Herman +Affects: FreeBSD 11.x +Corrected: 2017-07-20 17:15:18 UTC (stable/11, 11.1-STABLE) + 2017-08-10 06:59:07 UTC (releng/11.1, 11.1-RELEASE-p1) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +pf(4) is one of several packet filter available in FreeBSD, originally +written for OpenBSD. In addition to filtering packets, it also has packet +normalization capabilities. + +II. Problem Description + +A pf housekeeping thread (pf_purge_thread) could potentially use an +uninitialized variable, leading to a division by zero and a kernel panic. + +III. Impact + +Affected systems panic during startup. + +IV. Workaround + +No workaround is available, but systems not loading the pf kernel module are +not affected. Once a system has started successfully it will not be at risk +of this problem until it is restarted. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-17:08/pf.patch +# fetch https://security.FreeBSD.org/patches/EN-17:08/pf.patch.asc +# gpg --verify pf.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r321296 +releng/11.1/ r322342 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220830>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-17:08.pf.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.21 (FreeBSD) + +iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlmMBgEACgkQ7Wfs1l3P +aufndRAA3TYyp6qZzZ+m9Tp5pvDVLPwizN/k/6EkazC2nz1H9vlqG5l6Ho/N+QJ1 +6rDfRw/K/+ijOoy0C/3WfUFeiu38DUnsbxE4LrBb+HterEOdLU1hZmmI5hTZqsoE +8wyV4kcEpapUn1cgb0FWKBaujTYhGc/+z62p3IrPC1mN+P8B5mkzTryYfXvaxA4E +3xBW/abjRIOh3bxQ9BPqGJBX/6Y+sle5XoHDDIvkmfzZU8sYjLFGXgeuxIfsh61h +iBl1q4Tq35EDCK6cOr0s+ksg3q2mTrFNQF2Be4jMX47n1M3d+VeqZpgoa7jqrVY5 +Kv3nrhOaz4Wc/OdN1uxQW5Wxm2BS1/470/ghuOY4wVy59k/4n+esenzJyIeuG4vg +GUBa1ZPrsf9fR3PQgr9E047dPdc8WU7UEwHZfXuXjU6ywGd95siHVY4XB9aPYYYk +ZtzIHAuyOa8GANXjVvEsghSJ9nMleIGO7Tzn9zJ9W/gSxkMDy9EAP3Gaez9OVJko +zGq2TwhnSMdZjmnBpCuF9uZqyeAqDtyj77RYzV8RmhmT1e6dt+EU7Wf4KU3/3Zcr +mWq3wjBvbUJjDy2q9kpnGwnPmTDpXFFIXirgcxdj0QmyejVCRhM44d3UwFZQbxfj +5vL2WwnpytB2+RiNDjhpWVc1FAldM7B+M+vhwsFHcbKKT5S9ciA= +=cBQm +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-17:06.openssh.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-17:06.openssh.asc Thu Aug 10 07:14:48 2017 (r50656) @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-17:06.openssh Security Advisory + The FreeBSD Project + +Topic: OpenSSH Denial of Service vulnerability + +Category: contrib +Module: OpenSSH +Announced: 2017-08-10 +Affects: All supported versions of FreeBSD. +Corrected: 2017-08-10 06:36:37 UTC (stable/11, 11.1-STABLE) + 2017-08-10 06:59:07 UTC (releng/11.1, 11.1-RELEASE-p1) + 2017-08-10 06:59:26 UTC (releng/11.0, 11.0-RELEASE-p12) + 2017-08-10 06:36:37 UTC (stable/10, 10.3-STABLE) + 2017-08-10 06:59:43 UTC (releng/10.3, 10.3-RELEASE-p21) +CVE Name: CVE-2016-6515 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +OpenSSH is an implementation of the SSH protocol suite, providing an +encrypted and authenticated transport for a variety of services, +including remote shell access. + +OpenSSH supports a built-in password authentication method, which is +enabled with PasswordAuthentication. This option is disabled by +default on FreeBSD. + +II. Problem Description + +There is no limit on the password length. + +III. Impact + +A remote attacker may be able to cause an affected SSH server to use +excessive amount of CPU by sending very long passwords, when +PasswordAuthentication is enabled by the system administrator. + +IV. Workaround + +Disable PasswordAuthentication in /etc/ssh/sshd_config and restart +sshd. This is the default FreeBSD configuration. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Restart SSH service. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart SSH service. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-17:06/openssh.patch +# fetch https://security.FreeBSD.org/patches/SA-17:06/openssh.patch.asc +# gpg --verify openssh.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the SSH daemon, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r322341 +releng/10.3/ r322344 +stable/11/ r322341 +releng/11.0/ r322343 +releng/11.1/ r322342 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6515>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:06.openssh.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.21 (FreeBSD) + +iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlmMBgIACgkQ7Wfs1l3P +aucJdxAA08okYfV547zvlAnX0t2lzVY7k0EDpXJChmmOjTwcvWODXMCyfTzP0EQb +E7QjGushlfGU8tgCrbcFf46r2NgDRlqf5/+QK/fIohcQNwfKwJV0J5oeICzTwwOY +rAjgeg03T785nSiF/WyX3NsdWv/uVvJqalAqfohj4O1YUEkZPezDUdcys+ESvqAW +ujEQId1sD3wlHcwZweFmN60hzHuqR2o6+/3G8aT9ZZG3v46nM6moZiUyF5vh1hEl +16y86kyAIrTb0cCpsUL3M6ajQ15y/EQEzQBCqMedGdWlJzOFZyxgsCikcCw+07pr +u0NCrzq37E+8hQGFQk5ZoZxQb/8xaReQACi+RZeJAevWX0vOni6dCSWPMy6WqXOf +D8CzEcZiT+fYB4/zev/xPxlF5onEw4gbTkgbu1KLvBD9AgSKu7MdPoxkpyOwolMs +nAC084kl+yYJuxHAr7W58VdGPFDOHsvG6YYWQ4nwKjJqKGi24eOGQkOPUtBuJRYA +Q8ISdE0VXiMmND0vhLNDh0Gjbupz3nBNoawGAGy9OsNqRhQ6ioYIte67Ku+ev7nz +ydS8P72ExWuYQHsyVIoJviAAFnSPA2H15/tCES5Di8SkeLik7tQrI3SHOH0qd328 +dl0l2VGnnWYsAgGa68Xksn/DZd07cdpp5q1GitqvMPeDBb8/Iaw= +=FxJQ +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-17:07/vnet.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-17:07/vnet.patch Thu Aug 10 07:14:48 2017 (r50656) @@ -0,0 +1,18 @@ +--- sys/kern/sys_socket.c.orig ++++ sys/kern/sys_socket.c +@@ -675,6 +675,7 @@ + { + struct kaiocb *job; + ++ CURVNET_SET(so->so_vnet); + SOCKBUF_LOCK(sb); + while (!TAILQ_EMPTY(&sb->sb_aiojobq) && soaio_ready(so, sb)) { + job = TAILQ_FIRST(&sb->sb_aiojobq); +@@ -698,6 +699,7 @@ + ACCEPT_LOCK(); + SOCK_LOCK(so); + sorele(so); ++ CURVNET_RESTORE(); + } + + void Added: head/share/security/patches/EN-17:07/vnet.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-17:07/vnet.patch.asc Thu Aug 10 07:14:48 2017 (r50656) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.21 (FreeBSD) + +iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlmMBigACgkQ7Wfs1l3P +aud1/g//T+r0QjiYhomNf6Nuqc1mQKRG7YT0rJJ7bBHNn+ftOFuscW8gzgfvkL8m +I8jJVEnWyQy6+tcsg0aZt0WntmAyM+tmmdXZA55WdeZ550jzfKyJRCjya7vTGqWT +3ewoXm5Vsw08+Cr5CgF1YZWHHDXGXSScoiOsWnjqXHywRg2t4lrJjEWJOh/BZq+q +ro0pL236Awa7R2OnystMF8Vp7XUPjKcueEDmrjqmq9vMqvXJn1D/XW/p8StTDdRB +E00IYcuyZEX2s1OrEEqusHsRjNMPIJCb1x0eJl6Zh/lekjejl5hG7VhlJJicl9GN +kzATbcIcifEAZEwSPx1THgZwJL1PzQJ7peyALCG/hB6buqYonYP7JrWNcQq32vg+ +P1BlLq8XfUa2yV7H8x2fUBcUN7Xjy7/8d/nJd68gX2vdDjOfvh43xAnECUDnWpGW +AzRLFiMJJ5blv1fjn3xDLBoEPOMY7uwIk0I7ye9FUAIQRdD1jvTimcTI0wx0i0lE +6HHjNtpC7ZYhk7ADFouzCfzAUYfzPY0xFP/Qp9vmR+DiFQffAAUn4vhHpiROoEHd +k+PK+0wihcnglHj+v/A0vFYgJ86cWqF7tDA2iwkqVhXJWwWkQ+ZTiYJBaFRqNPWw +k8lMNOcs0BxLZ4XRKqH/wr/r9ZsDtAVDiz0G8ANo1+FdXbVqAcI= +=QQJA +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-17:08/pf.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-17:08/pf.patch Thu Aug 10 07:14:48 2017 (r50656) @@ -0,0 +1,24 @@ +--- sys/netpfil/pf/pf.c.orig ++++ sys/netpfil/pf/pf.c +@@ -129,6 +129,8 @@ + #define V_pf_tcp_secret_init VNET(pf_tcp_secret_init) + VNET_DEFINE(int, pf_tcp_iss_off); + #define V_pf_tcp_iss_off VNET(pf_tcp_iss_off) ++VNET_DECLARE(int, pf_vnet_active); ++#define V_pf_vnet_active VNET(pf_vnet_active) + + /* + * Queue for pf_intr() sends. +@@ -1441,6 +1443,12 @@ + kproc_exit(0); + } + ++ /* Wait while V_pf_default_rule.timeout is initialized. */ ++ if (V_pf_vnet_active == 0) { ++ CURVNET_RESTORE(); ++ continue; ++ } ++ + /* Process 1/interval fraction of the state table every run. */ + idx = pf_purge_expired_states(idx, pf_hashmask / + (V_pf_default_rule.timeout[PFTM_INTERVAL] * 10)); Added: head/share/security/patches/EN-17:08/pf.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-17:08/pf.patch.asc Thu Aug 10 07:14:48 2017 (r50656) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.21 (FreeBSD) + +iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlmMBigACgkQ7Wfs1l3P +auf3yhAA3kHXPGMKXhLNNU4x4Nen4lwOPw78L+ZIboLMCT8cOLRDXtHiqLdGljeQ +jQfNTXxL3wgNYyX8M3uwbvTeuJ1XGqWoDvdqCB/ngfUNQjnaturyKBiu60soiXJp +RIta99QQ+PUpL6e5Kxnb9jIF0HvFELkxfq6eicS2d7V/QjcZAKpArF14vOAVdt18 +C+aUY5wpNFzvyDJ6a/uWpexACnS2wFMElWOV10fjh4vSMaxCectK6eejT7ansQC2 +OAcpyzd6p2giidw2D+B54PGZAOX2utKEpJ9jBm+ITFYqhasQm3WtEQ0ozl8Rc4Ru +j4DToZwFwwaKTcpyKE2C3E9EtqiadePkQoFkfhQixdcUm7FFj0k+6Kou3QT4eAMy +5iuenPh9q2oMrW0ye8EqTVyRan9s4+jBpiibW/AEIPguegGl9L2Pg3Xw39pTXLPj +D0+la6GnESFWRod9w6IPcL97EQuD2NnBRkMru2xHHk7636Zc9aE12oI0ckrhfi7D +Pda31jKEC3BucLMIGMnVU8JN7IX3abbY+wgL8ttWeGmjr4TRMnV8fX0b/4bhKOx5 +fQMakqxQXBJr8i9tPmx43+TPO8f9ddqtSDKRAfZTpASN0ugCFyH08veTx8Ahh7bQ +TwyY8wRFQCxEeod1kJ4rUoWou1/1tMZiM4N3+I2Os7E+HdO+3HY= +=hezW +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-17:06/openssh.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:06/openssh.patch Thu Aug 10 07:14:48 2017 (r50656) @@ -0,0 +1,21 @@ +--- crypto/openssh/auth-passwd.c.orig ++++ crypto/openssh/auth-passwd.c +@@ -66,6 +66,8 @@ + #define DAY (24L * 60 * 60) /* 1 day in seconds */ + #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ + ++#define MAX_PASSWORD_LEN 1024 ++ + void + disable_forwarding(void) + { +@@ -87,6 +89,9 @@ + static int expire_checked = 0; + #endif + ++ if (strlen(password) > MAX_PASSWORD_LEN) ++ return 0; ++ + #ifndef HAVE_CYGWIN + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + ok = 0; Added: head/share/security/patches/SA-17:06/openssh.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:06/openssh.patch.asc Thu Aug 10 07:14:48 2017 (r50656) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.21 (FreeBSD) + +iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlmMBicACgkQ7Wfs1l3P +aueQ2hAAlv9j3RiWL+SaafCb4DUcDEq99zGpHbOAr1wgV/n7UqFpaan5UIE9z92e +YJXKJrwvxMr4Znc9O0MI6C/fawIgO1g/699Q9CwlmROtqBaF2Qz7PTj7RP5IntOZ +RgFNycPvq8qy+H1S1yK8UbfQ+3rl2Vz1xBe9SwmXvseHhVIHxr2l8mLTjEPtInOW +EMXsdX+QPX3+4uPX+mkV4WtPt4YYmM3aHVeqI2YVwe6DlsWL4y2OIBz23B9Lggwp +28m4sIfonNtZwDf0BSf7sdzPzYGQyjQ9Kwr5SEyqOV0eR9FeHr6cjW4UBu3X1X0I +eeCTBcrHbzcpEFr75pvEbsTRhzGVtBWtTAhvD+eXN2NaqTQrivvFAZaYiu8tWlpZ +QYgMwdwotZd96msiI1H1M6IdM1wJjEvXlaipnoAKkX2b88Hd5WDA2q2PZSU5BMDP +gKK51xc6BQ/6KzwCyfxNX0vzImM7mL6MBo7y9Lqi/7U3CPQmuDX3sCzs6fLp0kli +fQLpjetc5IcIFhyRnvRUpDVvfnU8KyyveU4ZMJ1dqfAZnBGXtu+ri7hknVLO10HY +XipKtvPkaMIA7v5ky/pTOyfRc0sqWUvHav0M7eDL331GaWoz9bUP5NcD+YowRAgs +P4/LyAdTxkT53jzqGSf/RN3I8KRhniUzZVjTv6nq39Qf6MvJG9g= +=n0X7 +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Wed Aug 9 15:40:15 2017 (r50655) +++ head/share/xml/advisories.xml Thu Aug 10 07:14:48 2017 (r50656) @@ -8,6 +8,18 @@ <name>2017</name> <month> + <name>8</name> + + <day> + <name>10</name> + + <advisory> + <name>FreeBSD-SA-17:06.openssh</name> + </advisory> + </day> + </month> + + <month> <name>7</name> <day> Modified: head/share/xml/notices.xml ============================================================================== --- head/share/xml/notices.xml Wed Aug 9 15:40:15 2017 (r50655) +++ head/share/xml/notices.xml Thu Aug 10 07:14:48 2017 (r50656) @@ -8,6 +8,22 @@ <name>2017</name> <month> + <name>8</name> + + <day> + <name>10</name> + + <notice> + <name>FreeBSD-EN-17:08.pf</name> + </notice> + + <notice> + <name>FreeBSD-EN-17:07.vnet</name> + </notice> + </day> + </month> + + <month> <name>7</name> <day>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201708100714.v7A7EmSq054134>