From owner-svn-doc-all@freebsd.org Wed Nov 2 07:45:13 2016 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4A59CC2A671; Wed, 2 Nov 2016 07:45:13 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 14A631D59; Wed, 2 Nov 2016 07:45:13 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uA27jCeJ086135; Wed, 2 Nov 2016 07:45:12 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uA27jBZ2086123; Wed, 2 Nov 2016 07:45:11 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201611020745.uA27jBZ2086123@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 2 Nov 2016 07:45:11 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r49623 - in head/share: security/advisories security/patches/SA-16:33 security/patches/SA-16:34 security/patches/SA-16:35 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2016 07:45:13 -0000 Author: delphij Date: Wed Nov 2 07:45:10 2016 New Revision: 49623 URL: https://svnweb.freebsd.org/changeset/doc/49623 Log: Add SA-16:33, SA-16:34 and SA-16:35. Added: head/share/security/advisories/FreeBSD-SA-16:33.openssh.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:34.bind.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:35.openssl.asc (contents, props changed) head/share/security/patches/SA-16:33/ head/share/security/patches/SA-16:33/openssh.patch (contents, props changed) head/share/security/patches/SA-16:33/openssh.patch.asc (contents, props changed) head/share/security/patches/SA-16:34/ head/share/security/patches/SA-16:34/bind.patch (contents, props changed) head/share/security/patches/SA-16:34/bind.patch.asc (contents, props changed) head/share/security/patches/SA-16:35/ head/share/security/patches/SA-16:35/openssl-10.patch (contents, props changed) head/share/security/patches/SA-16:35/openssl-10.patch.asc (contents, props changed) head/share/security/patches/SA-16:35/openssl-9.patch (contents, props changed) head/share/security/patches/SA-16:35/openssl-9.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-16:33.openssh.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:33.openssh.asc Wed Nov 2 07:45:10 2016 (r49623) @@ -0,0 +1,143 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:33.openssh Security Advisory + The FreeBSD Project + +Topic: OpenSSH Remote Denial of Service vulnerability + +Category: contrib +Module: OpenSSH +Announced: 2016-11-02 +Affects: All supported versions of FreeBSD. +Corrected: 2016-11-02 06:56:35 UTC (stable/11, 11.0-STABLE) + 2016-11-02 07:23:19 UTC (releng/11.0, 11.0-RELEASE-p3) + 2016-11-02 06:58:47 UTC (stable/10, 10.3-STABLE) + 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12) +CVE Name: CVE-2016-8858 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +OpenSSH is an implementation of the SSH protocol suite, providing an +encrypted and authenticated transport for a variety of services, +including remote shell access. + +During the SSH handshake procedure, the client and server exchanges the +supported encryption, MAC and compression algorithms along with other +information to negotiate algorithms for initial key exchange, with a +message named SSH_MSG_KEXINIT. + +II. Problem Description + +When processing the SSH_MSG_KEXINIT message, the server could allocate +up to a few hundreds of megabytes of memory per each connection, before +any authentication take place. + +III. Impact + +A remote attacker may be able to cause a SSH server to allocate an excessive +amount of memory. Note that the default MaxStartups setting on FreeBSD will +limit the effectiveness of this attack. + +IV. Workaround + +No workaround is available, but systems where sshd(8) is not used are +not vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +The sshd(8) service has to be restarted after the update. A reboot +is recommended but not required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +The sshd(8) service has to be restarted after the update. A reboot +is recommended but not required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-16:33/openssh.patch +# fetch https://security.FreeBSD.org/patches/SA-16:33/openssh.patch.asc +# gpg --verify openssh.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +The sshd(8) service has to be restarted after the update. A reboot +is recommended but not required. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r308199 +releng/10.3/ r308203 +stable/11/ r308198 +releng/11.0/ r308202 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.15 (FreeBSD) + +iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rnws4P/0i2V2lw3snDi4oVsX2AVkl+ +bQ9iRUvgO0SSB4b8JZ8dK6wws8InDR8oihm8jBsaOYPOxu7Wz9Zua2ZAjBAY/GLB +o2+2UMGKVNlP59D/pwBD3qWEjG2KYpE5hItX7iykjwDvd8c7UOLZt7oofVfq8R7D +84BkMQb9DM/1PwFI+ztMYN3uAlzsNxi0GqoHe7PBYmA5rq3QF9LoUlRyOW9KQq8Q +TsBg8briGhy44XifhxU7eUsPUrxJLb5c/w3xsuzSw1AFpgSAc8IKAcrknnTdy+0c +k5GfJz/84xcN1/HO6FDVtYgIoOK2C/ljCHiRAPRsVK3TvXl6agErVBf3CTvWKjg9 +NY6QD0KTJw5QF0LT6GbLRAdwnAexQI0U7Hw3Xylv2CFnaxsdYeB9YTVqqMricUqQ +7GZ/ktiXJwBpDLkaieeI6WhbAVdsNQc5A1UWQwjv6mFr5TKhOFWvmHRo/KZprWqd +vFqYNHc3NngcKs537WOXchNnW46hWMsiis/1mJfiRZd89rzq5Dtz7tCcX1c7RgRW +4h0vhtqRMQraby0fI0ND3kC7EnXchMqWAoQ3Tric+2yWQMW/OGDvWXWbM0HqUKq7 +7fOGMmXmLhQnkykf4uwjrP4cyMSzSbGdrLQxpwWPwZoH47es/qYKHukBRcnmEkA+ +VpT6Vpm0Lqi80W5bh783 +=xyal +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:34.bind.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:34.bind.asc Wed Nov 2 07:45:10 2016 (r49623) @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:34.bind Security Advisory + The FreeBSD Project + +Topic: BIND Remote Denial of Service vulnerability + +Category: contrib +Module: bind +Announced: 2016-11-02 +Credits: ISC +Affects: FreeBSD 9.x +Corrected: 2016-11-02 05:13:27 UTC (stable/9, 9.3-STABLE) + 2016-11-02 07:24:34 UTC (releng/9.3, 9.3-RELEASE-p50) +CVE Name: CVE-2016-8864 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. + +II. Problem Description + +A defect in BIND's handling of responses containing a DNAME answer could +cause a resolver to exit after encountering an assertion failure in +db.c or resolver.c. + +During processing of a recursive response that contains a DNAME record +in the answer section, BIND could stop executing after encountering an +assertion error in resolver.c. + +III. Impact + +A remote attacker who could cause a server to make a query deliberately +chosen to trigger the failed assertions could cause named(8) to stop, +resulting in a Denial of Service condition to its clients. + +IV. Workaround + +No workaround is available, but hosts not running named(8) recursive +servers are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +The named service has to be restarted after the update. A reboot is +recommended but not required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +The named service has to be restarted after the update. A reboot is +recommended but not required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-16:34/bind.patch +# fetch https://security.FreeBSD.org/patches/SA-16:34/bind.patch.asc +# gpg --verify bind.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the named service, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r308193 +releng/9.3/ r308205 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.15 (FreeBSD) + +iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rn14UQAOI+3haO5nI3D4wPP9EavF9j +SU1yuv2ZrWaldbdv9lSHWsK5gjOjZAwK4TmZSnhe3yC3nNOJimiD5KAjHhCiQEMN +xZ4L0Xtyhp6Bef7pEPdn1KgJCdufRaXt8QYx+YWz2Zk2lV78J9IRUuWNYzTleetM +yNkPIfkGbIEyzMG11nZKzIQ+rjxNS+/KXJTBD4z4xpyjCwnulHuCTGNNPIGSPbbO +1rwY6NifZXRP6yCWmrQWZPV3I7eAjwtWpmU18kLf6dRbRAWa/M9f+ZCW4vR1bBoR +CAX07D0VDPaUM56XCUaspKSvJ3dpJC9GjuEZVXfBoJzbfixeMqYkjgwaPGT+BxLo +AxJv8PVXZiigq+0pXMGjaHdrwWW8UxkthyifGJFSffZMs4eECrIUhFe/SlMQ/5Zm +WZhA28S4QqlcTpObnWVet3C9QdpBtjlodfZqmovHHWZGGcIVPbW+sVaJ3WF2ni6H +OQuJucIVfKQVuv88aSRVlrtGY/KN9wjyUf4zIpyUgPL+qy3vxz2NB41mjM12ZyAi +35KIv3tR5lZIq4C062qR0zlHKldQgxaQPX4rWq7lhQkk2X8B3SjypSMBRfrAosoW +p/xQGqVwX05M7F8ykcdf8vfu3iipz/JDQgSdy3aeziwO5+2xGUt5cdXWpR0gxK4M +2ajEFjl+rHAfYpDkfoGP +=F1Vx +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:35.openssl.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:35.openssl.asc Wed Nov 2 07:45:10 2016 (r49623) @@ -0,0 +1,148 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:35.openssl Security Advisory + The FreeBSD Project + +Topic: OpenSSL Remote DoS vulnerability + +Category: contrib +Module: openssl +Announced: 2016-11-02 +Affects: FreeBSD 9.x and FreeBSD 10.x. +Corrected: 2016-11-02 07:09:31 UTC (stable/10, 10.3-STABLE) + 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12) + 2016-11-02 07:24:14 UTC (releng/10.2, 10.2-RELEASE-p25) + 2016-11-02 07:24:14 UTC (releng/10.1, 10.1-RELEASE-p42) + 2016-11-02 07:09:31 UTC (stable/9, 9.3-STABLE) + 2016-11-02 07:24:34 UTC (releng/9.3, 9.3-RELEASE-p50) +CVE Name: CVE-2016-8610 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) +and Transport Layer Security (TLS v1) protocols as well as a full-strength +general purpose cryptography library. + +The SSL alert protocol is a way to communicate problems within a SSL/TLS session. + +II. Problem Description + +Due to improper handling of alert packets, OpenSSL would consume an excessive +amount of CPU time processing undefined alert messages. + +III. Impact + +A remote attacker who can initiate handshakes with an OpenSSL based server +can cause the server to consume a lot of computation power with very little +bandwidth usage, and may be able to use this technique in a leveraged Denial +of Service attack. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Restart all daemons that use the library, or reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all daemons that use the library, or reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.x] +# fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch +# fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch.asc +# gpg --verify openssl-10.patch.asc + +[FreeBSD 9.3] +# fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch +# fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch.asc +# gpg --verify openssl-9.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r308200 +releng/9.3/ r308205 +stable/10/ r308200 +releng/10.1/ r308204 +releng/10.2/ r308204 +releng/10.3/ r308203 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.15 (FreeBSD) + +iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rnwbMQAOiGWegkYQodqBzNboK9U+6M +8Jt6HNrYDWAyzp+mZmWxgPWZMkGaNAsBEFXwZlHgs65RCbRczxr/kUWZx2/XHbM3 +kGx5eNIq46BFIrTDPvUgNciorl/ncJGeO4SYEFBYImceDNwIQVtpfz1IUAve+LNW +RYYICakWn8HPuqzmIFjQydMkoyEaHMwsmkv3nVNVX46sVIQ1umZ3RZsKtlPOQqNs +sAa0HuOOQbeU2eJhhtcYcDEPNF7Do9WvSMnYrJQ/lE2SuatXq2tdbvZLV8ieiPoj +3AMf9p2yPpeqqO9yy19CayTSPmDiKMVQq8jikVomX5XkVqNKLrQoQfrvpwR0DWOW +fwIDjZ1H9IXoqjVVZwp5GLfHhAURNjbsszF4B1lXQHI1D/p4bXyOOrcuM1JxHXRK +UGvagbs30DWH+4Baph/UVOsFUhPU0sguPtpPa0XFxSIxB6qZJJGjdOh7el6aBYJu +VxQuw1wWQvJPm9CsIIZrX4WYBcwS8ro82wsfNWO+ZC0j5UbMwh2joFgrbEdWNM3f +MWVYuH5czzoJO85Nu7uGB+qa9GYqKkdwGRDnFshnvPhHHnpmGL/tLHM+Kqg7uDeu +8RsNaZ4PYChZh8YHVooOraDl0Nz0Ln/kok8GdsZUpNfuiXm3U9fLUCAFAdNUOlr6 +PJuvkUEQRMlhG8tX3+11 +=1gO7 +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:33/openssh.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:33/openssh.patch Wed Nov 2 07:45:10 2016 (r49623) @@ -0,0 +1,10 @@ +--- crypto/openssh/kex.c.orig ++++ crypto/openssh/kex.c +@@ -468,6 +468,7 @@ + if (kex == NULL) + return SSH_ERR_INVALID_ARGUMENT; + ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r; Added: head/share/security/patches/SA-16:33/openssh.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:33/openssh.patch.asc Wed Nov 2 07:45:10 2016 (r49623) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.15 (FreeBSD) + +iQIcBAABCgAGBQJYGZiEAAoJEO1n7NZdz2rn+gwP/iKpzCRr46PX5c9XHHy5NGlY +unel+99VsL2KH5mfAfFVRU67FS2AtTWOpSi5CuWMimc0a97mszkbeqzbtO5dcppA +0i71XkzB9nmRLgXKYMt7H7KVmUd4DIXuztvX/sQxbwX5yonRzeqqo1R7Pq55wz6/ +OO//BKLxKUiwDOKHUhhAZkaXEBt39c1EB0bRBpNeqsfsdD9IWm82Wh69jWrkOWeO +6q+lRAtGoAl5vCO85XHYor4Pd7V2uSvLK4DRJyGFps8oc5vr6ZRmRvDTlF6VGBV4 +P/3xPDe1euVDBUZMAnlJVLvkiI2FeEc4lbXAtgirYfKE97XpEkXoEwSc2ExGKte9 +6e3xdmGei4HVb7FQPfrFb4wD/wGXbqp9XKLE/ECYKZM76Hltz1ac7ziihYYJSLyS +/kzS4TBidIHiAiZDYGrREx28LPYtm5w84jBmngdg8BGAPzZNPtXM9phmXaBWeU/c +PcLsjGQUi436R/NYzZ0Z8qM/SDbeghSIvSO+FmaoUHs7T8Bkk1xVU8TQhiv4uYW9 +j94qfOZ8oDbwbq16F2xsfvXLj2b+nnMgcICEiDeoA7aifrmHQCmx3y4VdGPH0/oD +lw9wjSA3vfLgCh9UFb1BkxMcJpYkdTSDOb8cvR+ukIq4jIdJgnucQMd1KItZeaSQ +q09FlZaUT20jY+bZZ2r0 +=qiKR +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:34/bind.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:34/bind.patch Wed Nov 2 07:45:10 2016 (r49623) @@ -0,0 +1,184 @@ +--- contrib/bind9/lib/dns/resolver.c.orig ++++ contrib/bind9/lib/dns/resolver.c +@@ -524,7 +524,9 @@ + valarg->addrinfo = addrinfo; + + if (!ISC_LIST_EMPTY(fctx->validators)) +- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0); ++ valoptions |= DNS_VALIDATOR_DEFER; ++ else ++ valoptions &= ~DNS_VALIDATOR_DEFER; + + result = dns_validator_create(fctx->res->view, name, type, rdataset, + sigrdataset, fctx->rmessage, +@@ -4849,13 +4851,6 @@ + rdataset, + sigrdataset, + valoptions, task); +- /* +- * Defer any further validations. +- * This prevents multiple validators +- * from manipulating fctx->rmessage +- * simultaneously. +- */ +- valoptions |= DNS_VALIDATOR_DEFER; + } + } else if (CHAINING(rdataset)) { + if (rdataset->type == dns_rdatatype_cname) +@@ -4961,6 +4956,11 @@ + eresult == DNS_R_NCACHENXRRSET); + } + event->result = eresult; ++ if (adbp != NULL && *adbp != NULL) { ++ if (anodep != NULL && *anodep != NULL) ++ dns_db_detachnode(*adbp, anodep); ++ dns_db_detach(adbp); ++ } + dns_db_attach(fctx->cache, adbp); + dns_db_transfernode(fctx->cache, &node, anodep); + clone_results(fctx); +@@ -5208,6 +5208,11 @@ + fctx->attributes |= FCTX_ATTR_HAVEANSWER; + if (event != NULL) { + event->result = eresult; ++ if (adbp != NULL && *adbp != NULL) { ++ if (anodep != NULL && *anodep != NULL) ++ dns_db_detachnode(*adbp, anodep); ++ dns_db_detach(adbp); ++ } + dns_db_attach(fctx->cache, adbp); + dns_db_transfernode(fctx->cache, &node, anodep); + clone_results(fctx); +@@ -6016,13 +6021,15 @@ + answer_response(fetchctx_t *fctx) { + isc_result_t result; + dns_message_t *message; +- dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; ++ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name; ++ dns_name_t *cname = NULL; + dns_rdataset_t *rdataset, *ns_rdataset; + isc_boolean_t done, external, chaining, aa, found, want_chaining; +- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; ++ isc_boolean_t have_answer, found_cname, found_dname, found_type; ++ isc_boolean_t wanted_chaining; + unsigned int aflag; + dns_rdatatype_t type; +- dns_fixedname_t fdname, fqname; ++ dns_fixedname_t fdname, fqname, fqdname; + dns_view_t *view; + + FCTXTRACE("answer_response"); +@@ -6036,6 +6043,7 @@ + + done = ISC_FALSE; + found_cname = ISC_FALSE; ++ found_dname = ISC_FALSE; + found_type = ISC_FALSE; + chaining = ISC_FALSE; + have_answer = ISC_FALSE; +@@ -6045,12 +6053,13 @@ + aa = ISC_TRUE; + else + aa = ISC_FALSE; +- qname = &fctx->name; ++ dqname = qname = &fctx->name; + type = fctx->type; + view = fctx->res->view; ++ dns_fixedname_init(&fqdname); + result = dns_message_firstname(message, DNS_SECTION_ANSWER); + while (!done && result == ISC_R_SUCCESS) { +- dns_namereln_t namereln; ++ dns_namereln_t namereln, dnamereln; + int order; + unsigned int nlabels; + +@@ -6058,6 +6067,8 @@ + dns_message_currentname(message, DNS_SECTION_ANSWER, &name); + external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); + namereln = dns_name_fullcompare(qname, name, &order, &nlabels); ++ dnamereln = dns_name_fullcompare(dqname, name, &order, ++ &nlabels); + if (namereln == dns_namereln_equal) { + wanted_chaining = ISC_FALSE; + for (rdataset = ISC_LIST_HEAD(name->list); +@@ -6152,7 +6163,7 @@ + } + } else if (rdataset->type == dns_rdatatype_rrsig + && rdataset->covers == +- dns_rdatatype_cname ++ dns_rdatatype_cname + && !found_type) { + /* + * We're looking for something else, +@@ -6182,11 +6193,18 @@ + * a CNAME or DNAME). + */ + INSIST(!external); +- if (aflag == +- DNS_RDATASETATTR_ANSWER) { ++ if ((rdataset->type != ++ dns_rdatatype_cname) || ++ !found_dname || ++ (aflag == ++ DNS_RDATASETATTR_ANSWER)) ++ { + have_answer = ISC_TRUE; ++ if (rdataset->type == ++ dns_rdatatype_cname) ++ cname = name; + name->attributes |= +- DNS_NAMEATTR_ANSWER; ++ DNS_NAMEATTR_ANSWER; + } + rdataset->attributes |= aflag; + if (aa) +@@ -6280,11 +6298,11 @@ + return (DNS_R_FORMERR); + } + +- if (namereln != dns_namereln_subdomain) { ++ if (dnamereln != dns_namereln_subdomain) { + char qbuf[DNS_NAME_FORMATSIZE]; + char obuf[DNS_NAME_FORMATSIZE]; + +- dns_name_format(qname, qbuf, ++ dns_name_format(dqname, qbuf, + sizeof(qbuf)); + dns_name_format(name, obuf, + sizeof(obuf)); +@@ -6299,7 +6317,7 @@ + want_chaining = ISC_TRUE; + POST(want_chaining); + aflag = DNS_RDATASETATTR_ANSWER; +- result = dname_target(rdataset, qname, ++ result = dname_target(rdataset, dqname, + nlabels, &fdname); + if (result == ISC_R_NOSPACE) { + /* +@@ -6316,10 +6334,13 @@ + + dname = dns_fixedname_name(&fdname); + if (!is_answertarget_allowed(view, +- qname, rdataset->type, +- dname, &fctx->domain)) { ++ dqname, rdataset->type, ++ dname, &fctx->domain)) ++ { + return (DNS_R_SERVFAIL); + } ++ dqname = dns_fixedname_name(&fqdname); ++ dns_name_copy(dname, dqname, NULL); + } else { + /* + * We've found a signature that +@@ -6344,6 +6365,10 @@ + INSIST(!external); + if (aflag == DNS_RDATASETATTR_ANSWER) { + have_answer = ISC_TRUE; ++ found_dname = ISC_TRUE; ++ if (cname != NULL) ++ cname->attributes &= ++ ~DNS_NAMEATTR_ANSWER; + name->attributes |= + DNS_NAMEATTR_ANSWER; + } Added: head/share/security/patches/SA-16:34/bind.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:34/bind.patch.asc Wed Nov 2 07:45:10 2016 (r49623) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.15 (FreeBSD) + +iQIcBAABCgAGBQJYGZiEAAoJEO1n7NZdz2rnuoAP/2ghYzKyVElGqCJqNSvj9tLV +CAC6SdIdw9SaLyvPc33O6Sx0hpUlUkJxs9DDAA34OcdkiT0MiB2G2QvIFqUaF2p/ +CTPtKCYQ3dmPXdedm/JX5mkz1BJUWl5vHha2Kzmrv2H5VYAti58RGcQASlIIlbl+ +OKIkME+kD1wABPuY3HD4BofT7yt6vezwhvxdSaZDnqEMp2owed8PKNZBRxl4tYX/ +ABioDFCxqs2OwDLU8HYoFcIlXkCin5WgIqGnXtBLIYE/W6E2hFCO4K94QQjRrfoJ +qxYzsIBEVkDsTu1TLvPsINp2PY3Hz93yVSNWAz39z+3R5MzQFhsREfrX6/EJPOi6 +Z8o3oLGZKMsgZ9SPw1gElcvo6Rq9ZfGLsw0GsMWrLOhXtIAfNoL9gVeFPh2rw7lr +qtlOPgnnpXEfOanAQhUfQtp5BuNvcIrfvtMkxqL4BPDT6aeoI+NS1VstZQjnBZR4 +Flgd1ykQbV1ZoCOeJVJaeFiLmMZ0BKz4T0KVrRmBijrVoDzJid11SgDW4N40qSGp +VwQit82ooPzj/YnOp/hDZ19fKY8wA1CUFafjvauqtZwcuc8bDX+AQNZST/we1iki +bEZfH0fDUimKCxkzK1JfnJNG412/m2eZc43aPcXDvH9LjGFbTZw2axTXXgicf2Lo +6A0HJlZU8SV/Y0M/mtlB +=BP8h +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:35/openssl-10.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:35/openssl-10.patch Wed Nov 2 07:45:10 2016 (r49623) @@ -0,0 +1,94 @@ +--- crypto/openssl/ssl/d1_pkt.c.orig ++++ crypto/openssl/ssl/d1_pkt.c +@@ -924,6 +924,13 @@ + goto start; + } + ++ /* ++ * Reset the count of consecutive warning alerts if we've got a non-empty ++ * record that isn't an alert. ++ */ ++ if (rr->type != SSL3_RT_ALERT && rr->length != 0) ++ s->s3->alert_count = 0; ++ + /* we now have a packet which can be read and processed */ + + if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, +@@ -1190,6 +1197,14 @@ + + if (alert_level == SSL3_AL_WARNING) { + s->s3->warn_alert = alert_descr; ++ ++ s->s3->alert_count++; ++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) { ++ al = SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); ++ goto f_err; ++ } ++ + if (alert_descr == SSL_AD_CLOSE_NOTIFY) { + #ifndef OPENSSL_NO_SCTP + /* +--- crypto/openssl/ssl/s3_pkt.c.orig ++++ crypto/openssl/ssl/s3_pkt.c +@@ -1057,6 +1057,13 @@ + return (ret); + } + ++ /* ++ * Reset the count of consecutive warning alerts if we've got a non-empty ++ * record that isn't an alert. ++ */ ++ if (rr->type != SSL3_RT_ALERT && rr->length != 0) ++ s->s3->alert_count = 0; ++ + /* we now have a packet which can be read and processed */ + + if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, +@@ -1271,6 +1278,14 @@ + + if (alert_level == SSL3_AL_WARNING) { + s->s3->warn_alert = alert_descr; ++ ++ s->s3->alert_count++; ++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) { ++ al = SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); ++ goto f_err; ++ } ++ + if (alert_descr == SSL_AD_CLOSE_NOTIFY) { + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + return (0); +--- crypto/openssl/ssl/ssl.h.orig ++++ crypto/openssl/ssl/ssl.h +@@ -2717,6 +2717,7 @@ + # define SSL_R_TLS_HEARTBEAT_PENDING 366 + # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367 + # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157 ++# define SSL_R_TOO_MANY_WARN_ALERTS 409 + # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 + # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 + # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 +--- crypto/openssl/ssl/ssl3.h.orig ++++ crypto/openssl/ssl/ssl3.h +@@ -587,6 +587,8 @@ + char is_probably_safari; + # endif /* !OPENSSL_NO_EC */ + # endif /* !OPENSSL_NO_TLSEXT */ ++ /* Count of the number of consecutive warning alerts received */ ++ unsigned int alert_count; + } SSL3_STATE; + + # endif +--- crypto/openssl/ssl/ssl_locl.h.orig ++++ crypto/openssl/ssl/ssl_locl.h +@@ -389,6 +389,8 @@ + */ + # define SSL_MAX_DIGEST 6 + ++# define MAX_WARN_ALERT_COUNT 5 ++ + # define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT) + + # define TLS1_PRF_DGST_SHIFT 10 Added: head/share/security/patches/SA-16:35/openssl-10.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:35/openssl-10.patch.asc Wed Nov 2 07:45:10 2016 (r49623) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.15 (FreeBSD) + +iQIcBAABCgAGBQJYGZiEAAoJEO1n7NZdz2rnVlMP/iC0pDsRby5HftZwmlfd0oIA +GsyDBXQf3H2lFrkb5rFKuiDEwMIV1s2uti64TFg5ipYejXXGjkl6r4ogsWFfa2gy +KU6+R4psMOC4C5aVS7QvclIJiyaBNFuAKaoGgv6p/SXYcw9Rbta6BYIy4s0Mr2WB +UiVzTsJg7Ye6ooKREFouZrW98o5VwcRHy22TONnvkTym2Qr1kDU3PuF/TRe6KK/n +IrRs/VI0Hs+VNBRRxIo74zXJm6GLHcadjU8RejVH3iJfQvK6yfyD+S/zhZxLAc9c +zfcNs9RTBxJhKhrfC/mYU+8pF/4t7viRjb/YrHMvnYZXiOygeRTCeIpcbNun/bqy +hBYOZfzdfF0OgAzBviJSU3dx7HHCmzuKNgtxNFh9nsP41E28hy3/jXOkW6476JvK +bfa3RNAIespSqMBR/8DOj16uuDiAp8nZdV5XcOlgcv/Cl992pf+V8+IpZiApJJpR +yrbdS5oBTuiS5nWJRllH1XSEDPA5zpsfcIpbe+2ip81Uxn5cV2+nXI7nRhzGKcSm +/KSqC5ois3EMyfBocTtexy4bDAZZRTSusauLxLh6qR7y92vbckukZLEUeo5XRtOk +BZt63O16ALxUQbYhVoL6Wm/j4xWiL6+s9q/Y8CAgZniviih3UEcFzpKKxglnApZG +XtVDN3i4EaZ2+8mriBp6 +=0PWO +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:35/openssl-9.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:35/openssl-9.patch Wed Nov 2 07:45:10 2016 (r49623) @@ -0,0 +1,94 @@ +--- crypto/openssl/ssl/d1_pkt.c.orig ++++ crypto/openssl/ssl/d1_pkt.c +@@ -820,6 +820,13 @@ + goto start; + } + ++ /* ++ * Reset the count of consecutive warning alerts if we've got a non-empty ++ * record that isn't an alert. ++ */ ++ if (rr->type != SSL3_RT_ALERT && rr->length != 0) ++ s->s3->alert_count = 0; ++ + /* we now have a packet which can be read and processed */ + + if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, +@@ -1043,6 +1050,14 @@ + + if (alert_level == 1) { /* warning */ + s->s3->warn_alert = alert_descr; ++ ++ s->s3->alert_count++; ++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) { ++ al = SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); ++ goto f_err; ++ } ++ + if (alert_descr == SSL_AD_CLOSE_NOTIFY) { + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + return (0); +--- crypto/openssl/ssl/s3_pkt.c.orig ++++ crypto/openssl/ssl/s3_pkt.c +@@ -922,6 +922,13 @@ + return (ret); + } + ++ /* ++ * Reset the count of consecutive warning alerts if we've got a non-empty ++ * record that isn't an alert. ++ */ ++ if (rr->type != SSL3_RT_ALERT && rr->length != 0) ++ s->s3->alert_count = 0; ++ + /* we now have a packet which can be read and processed */ + + if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, +@@ -1121,6 +1128,14 @@ + + if (alert_level == 1) { /* warning */ + s->s3->warn_alert = alert_descr; ++ ++ s->s3->alert_count++; ++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) { ++ al = SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); ++ goto f_err; ++ } ++ + if (alert_descr == SSL_AD_CLOSE_NOTIFY) { + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + return (0); +--- crypto/openssl/ssl/ssl.h.orig ++++ crypto/openssl/ssl/ssl.h +@@ -2195,6 +2195,7 @@ + # define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 + # define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 + # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 227 ++# define SSL_R_TOO_MANY_WARN_ALERTS 409 + # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 + # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 + # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 +--- crypto/openssl/ssl/ssl3.h.orig ++++ crypto/openssl/ssl/ssl3.h +@@ -491,6 +491,8 @@ + char is_probably_safari; + # endif /* !OPENSSL_NO_EC */ + # endif /* !OPENSSL_NO_TLSEXT */ ++ /* Count of the number of consecutive warning alerts received */ ++ unsigned int alert_count; + } SSL3_STATE; + + /* SSLv3 */ +--- crypto/openssl/ssl/ssl_locl.h.orig ++++ crypto/openssl/ssl/ssl_locl.h +@@ -247,6 +247,8 @@ + # define DEC32(a) ((a)=((a)-1)&0xffffffffL) + # define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */ + ++# define MAX_WARN_ALERT_COUNT 5 ++ + /* + * Define the Bitmasks for SSL_CIPHER.algorithms. + * This bits are used packed as dense as possible. If new methods/ciphers Added: head/share/security/patches/SA-16:35/openssl-9.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:35/openssl-9.patch.asc Wed Nov 2 07:45:10 2016 (r49623) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.15 (FreeBSD) + +iQIcBAABCgAGBQJYGZiEAAoJEO1n7NZdz2rnnpgP/RDo7UkBM/p/JjDZam+hTaYN +zhGZdsBG2tG9Q28SBoJ7MVzry287DkG+/LSfupeqbgsyhuYv4/c+148yK01q8Yw1 +d76zQR+3me2scQ6+kfm+lqYTbqSj6zEZXPU4ND29jEIDhz8BTZTlcyv1rZWrlA6d +FjbFNJQcb74ZbF6JRs1uSIrim3LKQf+Dt6ZUSF0+5zY3SLawXtmPVlvCJ1pYlYRk +4hhCzdojtA8PhQmMpW0RiN9NJX5dJ9sBIHAYQ2Y4zET+2cMA10nvCpixRMnjFriT +Dzpnj+PmF0X6bRh1z6tdM0GmcJxHlzgBCFQcxuWilsezlpdboijOCd4uOha+nr6b +qUJG2ahfZtlvofjUrMVhOK/wyyzztU9+qyQzI6bd4H56gjshR05Ey1BxsyA0+tnW +rLyvYfMIvA5aB52WKeZjOZtXQ8NcKDOmpewAO75hAHEfPD3VknN8FahmbAKcv5Y5 +0PjwiZ//dlp4lvoCYCXEMcLjmmOAOSp+rxFgb/ik4M/K62KhAEBw1QTYTQ4oUpgC +cwWA8vfFtqOYJj/XXn+9NY20YOfobmCmcQ8Hlni8D+X1UD8W/mjkKu9pjkbHDJKo +G2jLJmI0s6hsOPxXWwmWfuC0H/dMry/p790NA8RL2E2JV5bv7TWOCwWNYLTw7UK6 +WNX4+gnV9EucX+/fjxXL +=bOQ8 +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Wed Nov 2 07:38:59 2016 (r49622) +++ head/share/xml/advisories.xml Wed Nov 2 07:45:10 2016 (r49623) @@ -8,6 +8,26 @@ 2016 + 11 + + + 2 + + + FreeBSD-SA-16:35.openssl + + + + FreeBSD-SA-16:34.bind + + + + FreeBSD-SA-16:33.openssh + + + + + 10