From owner-svn-doc-head@FreeBSD.ORG Wed Feb 25 06:26:02 2015 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A2E2D991; Wed, 25 Feb 2015 06:26:02 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 899A9C3A; Wed, 25 Feb 2015 06:26:02 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t1P6Q2K1003953; Wed, 25 Feb 2015 06:26:02 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t1P6Q0GM003932; Wed, 25 Feb 2015 06:26:00 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201502250626.t1P6Q0GM003932@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 25 Feb 2015 06:26:00 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r46288 - in head/share: security/advisories security/patches/EN-15:01 security/patches/EN-15:02 security/patches/EN-15:03 security/patches/SA-15:04 security/patches/SA-15:05 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 06:26:02 -0000 Author: delphij Date: Wed Feb 25 06:25:59 2015 New Revision: 46288 URL: https://svnweb.freebsd.org/changeset/doc/46288 Log: Add latest batch of security advisories and errata notices. Added: head/share/security/advisories/FreeBSD-EN-15:01.vt.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-15:02.openssl.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-15:03.freebsd-update.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-15:04.igmp.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-15:05.bind.asc (contents, props changed) head/share/security/patches/EN-15:01/ head/share/security/patches/EN-15:01/vt.patch (contents, props changed) head/share/security/patches/EN-15:01/vt.patch.asc (contents, props changed) head/share/security/patches/EN-15:02/ head/share/security/patches/EN-15:02/openssl-10.0.patch (contents, props changed) head/share/security/patches/EN-15:02/openssl-10.0.patch.asc (contents, props changed) head/share/security/patches/EN-15:02/openssl-10.1.patch (contents, props changed) head/share/security/patches/EN-15:02/openssl-10.1.patch.asc (contents, props changed) head/share/security/patches/EN-15:02/openssl-8.4.patch (contents, props changed) head/share/security/patches/EN-15:02/openssl-8.4.patch.asc (contents, props changed) head/share/security/patches/EN-15:02/openssl-9.3.patch (contents, props changed) head/share/security/patches/EN-15:02/openssl-9.3.patch.asc (contents, props changed) head/share/security/patches/EN-15:03/ head/share/security/patches/EN-15:03/freebsd-update.patch (contents, props changed) head/share/security/patches/EN-15:03/freebsd-update.patch.asc (contents, props changed) head/share/security/patches/SA-15:04/ head/share/security/patches/SA-15:04/igmp.patch (contents, props changed) head/share/security/patches/SA-15:04/igmp.patch.asc (contents, props changed) head/share/security/patches/SA-15:05/ head/share/security/patches/SA-15:05/bind.patch (contents, props changed) head/share/security/patches/SA-15:05/bind.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-15:01.vt.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-15:01.vt.asc Wed Feb 25 06:25:59 2015 (r46288) @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-15:01.vt Errata Notice + The FreeBSD Project + +Topic: vt(4) crash with improper ioctl parameters + +Category: core +Module: vt +Announced: 2015-02-25 +Credits: Francisco Falcon from Core Security Technologies +Affects: FreeBSD 9.3 and FreeBSD 10.1 +Corrected: 2015-02-02 18:48:49 UTC (stable/10, 10.1-STABLE) + 2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6) + 2015-02-02 18:48:49 UTC (stable/9, 9.3-STABLE) + 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The vt(4) device provides multiple virtual terminals with an extensive +feature set. + +II. Problem Description + +The vt(4) code uses a signed integer as index value and does not test for +negative values. + +III. Impact + +A local attacker could trigger a panic by tricking the kernel into +accessing undefined kernel memory. + +IV. Workaround + +No workaround is available, but systems that do not use vt(4) are not +affected. + +All affected FreeBSD releases does not ship with vt(4) enabled by +default, and user have to enable them explicitly. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-15:01/vt.patch +# fetch https://security.FreeBSD.org/patches/EN-15:01/vt.patch.asc +# gpg --verify vt.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r278106 +releng/9.3/ r279265 +stable/10/ r278106 +releng/10.1/ r279264 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this Errata Notice is available at +https://security.FreeBSD.org/advisories/FreeBSD-EN-15:01.vt.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.1 (FreeBSD) + +iQIcBAEBCgAGBQJU7Wi8AAoJEO1n7NZdz2rnjXUQAIXWVC52AmDrQHvirZ23Jc84 +OnhLpYU3McHxtEpuIRZOcklDwuBQlP/0u1zsHoPvlHP/t6k74SA07MsuYjnUYrom +lF+P9wlmADXXFijGceE3UvdxD574ByyOVuqwvjDMbnxJOCyUNM4NaflZCacpqt4J +P7cpZVBLIh/lmFZYuuyYZ+AKC+02hNGQkLfY010EmPjsZMPYgr6UfRP5UG3+JLvy +LXYXOMkklQst9tSyJoC1QhQ8N6MbvGAjs0f9tO2G3nLkxdSZfAWnIExkACUnhW5G +2JzBJXTrXbyRelX3RmCV93j/9PHkS5Oj85p3fmc8swsdEgyq3e2rVMUdWEtJEZuE +c5lR/cGikMpFlsFnJqNi8LyIoXiGuVfLlhsNZsfjOn4WzenYd5gbmzZFLiu5agfq +TZZOAtpoYv7yvW+t98yZR+wUDQNk0Jsq738FR8qnPG4uN0yFVMjg+EEWMIEA+fnj +rLPxCO798PkpsVgUY+KC02Q/OLDcavWmf4+dGLGXVOHGrdmW4/9mSywiQQEZXl/9 +5GsY/5Qy6XmL8bf+I7pa1ozUGvJNZo+GZaak5hnaaaWiAt/aTlf9uoeNCizGo7ad ++srCLTEI0lEo883PrgNE8K1WWbg/by9Nv9YkE9AkPaAt8gIj/sOMuRv5/oGUj94D +v5gabABppiNMM9tNykM9 +=7HYa +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-15:02.openssl.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-15:02.openssl.asc Wed Feb 25 06:25:59 2015 (r46288) @@ -0,0 +1,150 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-15:02.openssl Errata Notice + The FreeBSD Project + +Topic: OpenSSL update + +Category: contrib +Module: openssl +Announced: 2015-02-25 +Affects: All supported versions of FreeBSD. +Corrected: 2015-01-23 19:14:36 UTC (stable/10, 10.1-STABLE) + 2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6) + 2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18) + 2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE) + 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) + 2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE) + 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) +and Transport Layer Security (TLS v1) protocols as well as a full-strength +general purpose cryptography library. + +II. Problem Description + +The OpenSSL software bundled with the FreeBSD base system has been diverged +due to various security advisories in the past and some reliability fixes +were not merged. + +III. Impact + +Divergence in the cryptographic code makes it harder to review changes, and +running unique code exposes users who run FreeBSD to possible unique bugs, +if there is any. + +IV. Workaround + +No workaround is available, but systems that do not use base system OpenSSL +for public facing services are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 8.4] +# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-8.4.patch +# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-8.4.patch.asc + +[FreeBSD 9.3] +# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-9.3.patch +# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-9.3.patch.asc + +[FreeBSD 10.0] +# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.0.patch +# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.0.patch.asc + +[FreeBSD 10.1] +# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.1.patch +# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.1.patch.asc + +# gpg --verify XXXX.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all deamons using the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r276865 +releng/8.4/ r279265 +stable/9/ r276865 +releng/9.3/ r279265 +stable/10/ r277597 +releng/10.0/ r279264 +releng/10.1/ r279264 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this Errata Notice is available at +https://security.FreeBSD.org/advisories/FreeBSD-EN-15:02.openssl.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.1 (FreeBSD) + +iQIcBAEBCgAGBQJU7WjCAAoJEO1n7NZdz2rnqScP/0nfy96IWKzt6GdHXIF7rgSl +yNF9xCfsG0jYgL2B7eLOmLyqT4+P5kEgarTCncjtDh/YEtfx/xXTseCPCAbVGmre +qhYQ/8J05bmw4vkFUxUtQAt0Kn2e911IfU1BM1J9/7sO39iBZkrbTf+mQ3zbuHP/ +0Iluz0vQY4N5qrStywr34Qy3UVzh06YmrNYGryxn+vw4FmGMp0eMeX7SGHO1saAI +Rwe8Q2nArl1pIffMtbB84MU8GphIS9td5U3w7+wJ94r7s9bXULIvKwd91H8+A8sW +njmldZLs4L192Ez7NoL25+uz0AdB0R2Flb9iDwTxDyvuudQeZR0qJAfXU/sbsa6r +PFt41UCV1ZJA0d+N8GG1X2lHBkaw5LWcV5GNKAFwGj659ycYqRndpPhjviM1WLJs +s/zlhM/0z3iFC5EZn0z1oNf8W0AhxGMrGG9EdFLGFE1w0U6BqPujqdZMBoey0y+Q +00O0APcQENNo4jr8xBg/ykzA7cbCao48nbPDOWiY2SLiB+HLdbafapPimndyF0nf +JxOe973UzZVRg+mdni3I6MriK1uaTAjMzNYD5x0avoResocrJKwZVUswNOJV1ONs +gvTvmAAYHGvDXeiV8YP1nb2+G8dusljawRkkY2Hg0yBH6PS+qKfMfCq+UEQ5ewdc +L7YxxXDEwrBgtAkv5A5z +=xouA +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-15:03.freebsd-update.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-15:03.freebsd-update.asc Wed Feb 25 06:25:59 2015 (r46288) @@ -0,0 +1,160 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-15:03.freebsd-update Errata Notice + The FreeBSD Project + +Topic: freebsd-update updates libraries in suboptimal order + +Category: base +Module: freebsd-update +Announced: 2015-02-25 +Credits: Brooks Davis +Affects: All supported versions of FreeBSD. +Corrected: 2015-02-09 09:22:47 UTC (stable/10, 10.1-STABLE) + 2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6) + 2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18) + 2015-02-09 09:45:58 UTC (stable/9, 9.3-STABLE) + 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) + 2015-02-09 10:09:46 UTC (stable/8, 8.4-STABLE) + 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The freebsd-update(8) utility is used to apply binary patches to FreeBSD +systems installed from official release images, as an alternative to +rebuilding from source. A freebsd-update(8) build server generates the +signed update packages, consisting of an index of files and directories +with checksums before the update, a set of binary patches, and an +index of files and directories with checksums after the update. The +client downloads the indexes, verifies the signatures and checksums, +then downloads and applies the required patches. + +II. Problem Description + +In general, the runtime linker needs to be updated before all other +libraries, including the standard C library (libc) and the threading +library (libthr), because these libraries depend on functionality of +the runtime linker. + +Before this update, the freebsd-update(8) utility did not enforce +this ordering requirement and would replace libthr (and all other +libraries) before updating the runtime linker. + +A recent change to the FreeBSD threading library that would prevent +a deadlock in a child process requires a NULL pointer test in the +runtime linker (/libexec/ld-elf.so.1) be in place. Since previous +versions of the runtime linker do not have this test, processes will +crash due to a NULL pointer deference. + +III. Impact + +If a name-service switch module linked to the threading library -- such +as ldap or winbind -- was configured to provide passwd or group services +in /etc/nsswitch.conf, then all attempts to look up a user or group by +name after the threading library was updated would result in a crash. +Most obviously, all further install(1) invocations by freebsd-update(8) +will crash, leaving the system partially updated and largely unusable. + +IV. Workaround + +Disabling any name-service switch modules linked to libthr prior to +running the freebsd-update(8) 'upgrade' command works around the issue. +These modules include, but are not limited to, ldap and winbind. + +V. Solution + +The freebsd-update(8) utility has been updated to install the runtime +linker before any libraries. + +You MUST upgrade systems prior to 10.1 to address this errata notice before +updating to 10.1 or later using freebsd-update(8). + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.3] +# fetch https://security.FreeBSD.org/patches/EN-15:03/freebsd-update.patch +# fetch https://security.FreeBSD.org/patches/EN-15:03/freebsd-update.patch.asc +# gpg --verify freebsd-update.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r278446 +releng/8.4/ r279265 +stable/9/ r278444 +releng/9.3/ r279265 +stable/10/ r278443 +releng/10.0/ r279264 +releng/10.1/ r279264 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this Errata Notice is available at +https://security.FreeBSD.org/advisories/FreeBSD-EN-15:03.freebsd-update.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.1 (FreeBSD) + +iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnkNkQAOJU6l5aKWWwvxU+Bxwc/zV5 +DcmGnL+7b/dN2zKdRVz6N54vuFnoUsXMd5EobxdC5MX31Yn/GnL5dQMbJDNAEL8D +I6jYdqf7PQL3v+EBiOFNazjeRbx5EM2gNLfwozv5LHKxER5ggmalmmf168Se4cRX +V+v2i28lCvAgOu3hXLd5gKQ3s8dNh2t/uxWI+fS3Sl6bitC0xVsXFEpTc8qIaJEu +cbVmedRQEoSnQPLdpoSgbmQpjp6/45l/UtLZpK7Cr7h8BHS9wtKdWjjkNL/wyF5j +3p2yanr6koT3P1iAhBJFE/3Dw4h5PlvWH56LP4PJmACuxU02AYrjc/ZVX1IL6bLt +9AuO8W28DTi6q9q8xy+XHcYXuDS4PF3oCDZ92m2iZMHcO747q8UQdKkgCEUfIZ2n +L79Dfkkx0uSmp4FIc1f/T6gDiBkZFRfs4stHRrm9K6nbyvFCAczj8wTUQPDjDUGw +zGH1jN9r/I3mHi3FREd0+w++BYZproepf4yfv5c/UJN9P88vCBAZZqlS1kkxYGUz +jOwzsF/MkpMWW16Xp58f7uwGTVZNTLzoq0r2GTln2R9fQAoQNrJYcBiW48MPSlQe +wef9nRhC8BPOSI70dl5r16/lOu4IuBqwBFiY8QzzDc/DABmaDUQrhLRp+VDHqFeL +taJCUogXb0n1CFub4f9P +=J5C+ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-15:04.igmp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:04.igmp.asc Wed Feb 25 06:25:59 2015 (r46288) @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:04.igmp Security Advisory + The FreeBSD Project + +Topic: Integer overflow in IGMP protocol + +Category: core +Module: igmp +Announced: 2015-02-25 +Credits: Mateusz Kocielski, Logicaltrust, + Marek Kroemeke, and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 +Affects: All supported versions of FreeBSD. +Corrected: 2015-02-25 05:43:02 UTC (stable/10, 10.1-STABLE) + 2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6) + 2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18) + 2015-02-25 05:43:02 UTC (stable/9, 9.3-STABLE) + 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) + 2015-02-25 05:43:02 UTC (stable/8, 8.4-STABLE) + 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) +CVE Name: CVE-2015-1414 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +IGMP is a control plane protocol used by IPv4 hosts and routers to propagate +multicast group membership information. IGMP version 3 is implemented on +FreeBSD. + +II. Problem Description + +An integer overflow in computing the size of IGMPv3 data buffer can result +in a buffer which is too small for the requested operation. + +III. Impact + +An attacker who can send specifically crafted IGMP packets could cause a +denial of service situation by causing the kernel to crash. + +IV. Workaround + +Block incoming IGMP packets by protecting your host/networks with a firewall. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch +# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch.asc +# gpg --verify igmp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r279263 +releng/8.4/ r279265 +stable/9/ r279263 +releng/9.3/ r279265 +stable/10/ r279263 +releng/10.0/ r279264 +releng/10.1/ r279264 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.1 (FreeBSD) + +iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnjr8QAL0J0+4lRtPXRyDRX2xFSnzw +sc3OpfmlTiD3pCFkebTYy3/+EK86iAL1ZELqlJe5mm2+pzhCQB13C4/exc0l1U6b +tyiGXxhVi2/4SBrs6n9lmB/YhXkgtqaOQAcNaOD6sVbS1e5cBtjnG86oOq8tQ2qG +c7Dvh3HTp9M5fDJtsI40SIpqy3FcKORBfpjYd8jONfSqMnLM2kM8xzwHSv4/X23e +GlDKHtIi+1ylD/Qu7Z3S7hqXDTSYjZb1QHc7axDFB6X6nj2Rz3aWS2hPPTypFd3T +zTj5DZjgiP7U2LhR40sWW68RYi21yzNUwbe0w5LeDah6Ymc5CDO2ujdm3HDQbQGH +pA9QIOjzpgR64nWLIJfZ7jMxL3rCCaCW3NCB/iRXni2Ib/wt3ZDkJyEk/SF4K82H +72U2u2qVjAsnhmwWK8gksBi9bEXk3TnX778bkrwm4rt1xOjACq8k66LAernoE4tB +DkE0pO4QR+6XwFb5sJMG/3L9CmrhTp2pkPDBQDbSD+ngBs5V5mJOqVf7gB+UptnN +Fh8OACO/5KtDkqBDsCljHxHZNaboVF4Q613+iF5CUc6SYOTkLnBDUE4Pq38vlzVB +GdZMEo/hvsCbR4c2TmdKuvEkEqayxCxcv0DXiyTlVCecxSkaYvMXPwCKK43QtS7S +het83QCUxaVuxLiznuwR +=lkYC +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-15:05.bind.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:05.bind.asc Wed Feb 25 06:25:59 2015 (r46288) @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:05.bind Security Advisory + The FreeBSD Project + +Topic: BIND remote denial of service vulnerability + +Category: contrib +Module: bind +Announced: 2015-02-25 +Credits: ISC +Affects: FreeBSD 8.x and FreeBSD 9.x. +Corrected: 2015-02-18 22:20:19 UTC (stable/9, 9.3-STABLE) + 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) + 2015-02-18 22:29:52 UTC (stable/8, 8.4-STABLE) + 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) +CVE Name: CVE-2015-1349 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. + +II. Problem Description + +BIND servers which are configured to perform DNSSEC validation and which +are using managed keys (which occurs implicitly when using +"dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit +unpredictable behavior due to the use of an improperly initialized +variable. + +III. Impact + +A remote attacker can trigger a crash of a name server that is configured +to use managed keys under specific and limited circumstances. However, +the complexity of the attack is very high unless the attacker has a +specific network relationship to the BIND server which is targeted. + +IV. Workaround + +Only systems that runs BIND, including recursive resolvers and authoritative +servers that performs DNSSEC validation and using managed-keys are affected. + +This issue can be worked around by not using "auto" for the dnssec-validation +or dnssec-lookaside options and do not configure a managed-keys statement. +Note that in order to do DNSSEC validation with this workaround one would +have to configure an explicit trusted-keys statement with the appropriate +keys. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-15:05/bind.patch +# fetch https://security.FreeBSD.org/patches/SA-15:05/bind.patch.asc +# gpg --verify bind.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r278973 +releng/8.4/ r279265 +stable/9/ r278972 +releng/9.3/ r279265 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.1 (FreeBSD) + +iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnKkgP/3vUBO8o5ofQFMUYSS1siPxZ +63OeeRlMabEgiWZaQ+V2O7/CPrHDIgJHQABx9kNoiutWD9TC3c5f7Yh4nfaXmbKe +Ncu3EjF1Zw/uGbu3cXjboX0CYnBDYrPNJnzIvSG0UlTY5hEIi3FgN4v2Q3gzuU/2 +3aUlFHyZb4GVzK+lA+wD0unOc6+il6LHPpSzwRbLpNxCB2J582HoCuw9i5NfMiOB +KP8axZeNZLMpE90s3H/VD+7UIoe6eOC0kykH/DpuUIUxxlExK9c8f9QurpoCnOrV +qwPAeWEYjmjZmMFivVZf5ugir6diaenfPjpXvUGNz2pCp5wlRkku71sMDsgnErX2 +Fnuc6nCXqTb/XX6zQmz/236EEVr2UBuX0cXWT0Dvu8GznMij/s4J+9+/Pkjp/mr7 +PfXj4H9UMv2Q3zOW7+Vb2Ru0zwfL9Dt90SyNbvt6DOA9KSNnUZIkN/pbKuS9fnHX +Pw7eiNPs4Rq0Ui1DJDWVsJnZV2aVSw+qHxeMVtjCWbx3O7IVGgj5W7i95iAPHRJ4 +PVd1oaI2WsteoLNGpfXUD5sQr9yFRU/mRKtgSjxtKRV/nIkdwfTNcHHXIl0XuIWw +C7VmAjlZgqj7aacTZWiVXqiFkN6gDjjFv1lVYmuDQOiK52JCbcBavYnxzZxVzuSa +yIpDuhJS5vIt/B5oepoZ +=uquT +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-15:01/vt.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-15:01/vt.patch Wed Feb 25 06:25:59 2015 (r46288) @@ -0,0 +1,34 @@ +Index: sys/dev/vt/vt_core.c +=================================================================== +--- sys/dev/vt/vt_core.c (revision 278106) ++++ sys/dev/vt/vt_core.c (working copy) +@@ -1719,14 +1719,16 @@ skip_thunk: + } + VT_UNLOCK(vd); + return (EINVAL); +- case VT_WAITACTIVE: ++ case VT_WAITACTIVE: { ++ unsigned int idx; ++ + error = 0; + +- i = *(unsigned int *)data; +- if (i > VT_MAXWINDOWS) ++ idx = *(unsigned int *)data; ++ if (idx > VT_MAXWINDOWS) + return (EINVAL); +- if (i != 0) +- vw = vd->vd_windows[i - 1]; ++ if (idx > 0) ++ vw = vd->vd_windows[idx - 1]; + + VT_LOCK(vd); + while (vd->vd_curwindow != vw && error == 0) +@@ -1733,6 +1735,7 @@ skip_thunk: + error = cv_wait_sig(&vd->vd_winswitch, &vd->vd_lock); + VT_UNLOCK(vd); + return (error); ++ } + case VT_SETMODE: { /* set screen switcher mode */ + struct vt_mode *mode; + struct proc *p1; Added: head/share/security/patches/EN-15:01/vt.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-15:01/vt.patch.asc Wed Feb 25 06:25:59 2015 (r46288) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.1 (FreeBSD) + +iQIcBAABCgAGBQJU7WjZAAoJEO1n7NZdz2rnu1YQAOmWCucNAVFb6agfA4im6Roz +Y0ujoSDgLmbYiKbT8tgXE456hLzk/VIOT6LdBxxsbXFBvKcRUlSDVlTa7YS2FlHN +QmQFput2r+1Cxase9tEFDFWG4c7TUFxWSotNZKrx0Xvt14kg4vUVqrkFEWQlnWlg +NhsPPZ4Ui2XQW3+hEUha7HuUvca6JWe8KbHFlzKcABm20cbGxHSnmyzsg6DjofeI +35fyKdJe81HYG94P31Xqx60HwBK4ncvJY7HXbdMfmIE/nGrdn19147X8bo2N/EvG +0mXis5iRbsKVqDqvuE9eXHXtVg5JibDgT/vos4T0ZtauLK0e4j7kDGAcp7HFE8p8 +OoHLHLf8VevO8iI1UYczNN97tLfGWD3P7wiO/p7mpYUny0G+U4lqQGaTSmfgobxe +MJUNyZl/riIYlgjg7lG9lrtsdecEFKY6V4mzCt+kEb0QysoYCs8Kk7zrm9C8B02T +cydBPV5bjy3cKuFOfoYFXHKROKTaaR81e6lHaoRMYZ4XOzrVHFnTQoPlEe6k2EsS +lgwnPEmkoTMT46IcOnLN1Nq7pQIrls6bstrCcM6bIIvjv//k70emw8nNd1gcow38 +rFOjOmruepze0sA1OSAXshDwzLt+XUOvl8AT/X4O2FX52KWic48sL9L4cEkv7pL8 +sxl/mffCaySZUHqrmv9X +=chiR +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-15:02/openssl-10.0.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-15:02/openssl-10.0.patch Wed Feb 25 06:25:59 2015 (r46288) @@ -0,0 +1,58313 @@ +Index: crypto/openssl/ACKNOWLEDGMENTS +=================================================================== +--- crypto/openssl/ACKNOWLEDGMENTS (revision 279126) ++++ crypto/openssl/ACKNOWLEDGMENTS (working copy) +@@ -10,13 +10,18 @@ OpenSSL project. + We would like to identify and thank the following such sponsors for their past + or current significant support of the OpenSSL project: + ++Major support: ++ ++ Qualys http://www.qualys.com/ ++ + Very significant support: + +- OpenGear: www.opengear.com ++ OpenGear: http://www.opengear.com/ + + Significant support: + +- PSW Group: www.psw.net ++ PSW Group: http://www.psw.net/ ++ Acano Ltd. http://acano.com/ + + Please note that we ask permission to identify sponsors and that some sponsors + we consider eligible for inclusion here have requested to remain anonymous. +Index: crypto/openssl/CHANGES +=================================================================== +--- crypto/openssl/CHANGES (revision 279126) ++++ crypto/openssl/CHANGES (working copy) +@@ -2,9 +2,376 @@ + OpenSSL CHANGES + _______________ + ++ Changes between 1.0.1k and 1.0.1l [15 Jan 2015] ++ ++ *) Build fixes for the Windows and OpenVMS platforms ++ [Matt Caswell and Richard Levitte] ++ ++ Changes between 1.0.1j and 1.0.1k [8 Jan 2015] ++ ++ *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS ++ message can cause a segmentation fault in OpenSSL due to a NULL pointer ++ dereference. This could lead to a Denial Of Service attack. Thanks to ++ Markus Stenberg of Cisco Systems, Inc. for reporting this issue. ++ (CVE-2014-3571) ++ [Steve Henson] ++ ++ *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the ++ dtls1_buffer_record function under certain conditions. In particular this ++ could occur if an attacker sent repeated DTLS records with the same ++ sequence number but for the next epoch. The memory leak could be exploited ++ by an attacker in a Denial of Service attack through memory exhaustion. ++ Thanks to Chris Mueller for reporting this issue. ++ (CVE-2015-0206) ++ [Matt Caswell] ++ ++ *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is ++ built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl ++ method would be set to NULL which could later result in a NULL pointer ++ dereference. Thanks to Frank Schmirler for reporting this issue. ++ (CVE-2014-3569) ++ [Kurt Roeckx] ++ ++ *) Abort handshake if server key exchange message is omitted for ephemeral ++ ECDH ciphersuites. ++ ++ Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for ++ reporting this issue. ++ (CVE-2014-3572) ++ [Steve Henson] ++ ++ *) Remove non-export ephemeral RSA code on client and server. This code ++ violated the TLS standard by allowing the use of temporary RSA keys in ++ non-export ciphersuites and could be used by a server to effectively ++ downgrade the RSA key length used to a value smaller than the server ++ certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at ++ INRIA or reporting this issue. ++ (CVE-2015-0204) ++ [Steve Henson] ++ ++ *) Fixed issue where DH client certificates are accepted without verification. ++ An OpenSSL server will accept a DH certificate for client authentication ++ without the certificate verify message. This effectively allows a client to ++ authenticate without the use of a private key. This only affects servers ++ which trust a client certificate authority which issues certificates ++ containing DH keys: these are extremely rare and hardly ever encountered. ++ Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting ++ this issue. ++ (CVE-2015-0205) ++ [Steve Henson] ++ ++ *) Ensure that the session ID context of an SSL is updated when its ++ SSL_CTX is updated via SSL_set_SSL_CTX. ++ ++ The session ID context is typically set from the parent SSL_CTX, ++ and can vary with the CTX. ++ [Adam Langley] ++ ++ *) Fix various certificate fingerprint issues. ++ ++ By using non-DER or invalid encodings outside the signed portion of a ++ certificate the fingerprint can be changed without breaking the signature. ++ Although no details of the signed portion of the certificate can be changed ++ this can cause problems with some applications: e.g. those using the ++ certificate fingerprint for blacklists. ++ ++ 1. Reject signatures with non zero unused bits. ++ ++ If the BIT STRING containing the signature has non zero unused bits reject ++ the signature. All current signature algorithms require zero unused bits. ++ ++ 2. Check certificate algorithm consistency. ++ ++ Check the AlgorithmIdentifier inside TBS matches the one in the ++ certificate signature. NB: this will result in signature failure ++ errors for some broken certificates. ++ ++ Thanks to Konrad Kraszewski from Google for reporting this issue. ++ ++ 3. Check DSA/ECDSA signatures use DER. ++ ++ Reencode DSA/ECDSA signatures and compare with the original received ++ signature. Return an error if there is a mismatch. ++ ++ This will reject various cases including garbage after signature ++ (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS ++ program for discovering this case) and use of BER or invalid ASN.1 INTEGERs ++ (negative or with leading zeroes). ++ ++ Further analysis was conducted and fixes were developed by Stephen Henson ++ of the OpenSSL core team. ++ ++ (CVE-2014-8275) ++ [Steve Henson] ++ ++ *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect ++ results on some platforms, including x86_64. This bug occurs at random ++ with a very low probability, and is not known to be exploitable in any ++ way, though its exact impact is difficult to determine. Thanks to Pieter ++ Wuille (Blockstream) who reported this issue and also suggested an initial ++ fix. Further analysis was conducted by the OpenSSL development team and ++ Adam Langley of Google. The final fix was developed by Andy Polyakov of ++ the OpenSSL core team. ++ (CVE-2014-3570) ++ [Andy Polyakov] ++ ++ *) Do not resume sessions on the server if the negotiated protocol ++ version does not match the session's version. Resuming with a different ++ version, while not strictly forbidden by the RFC, is of questionable ++ sanity and breaks all known clients. ++ [David Benjamin, Emilia Käsper] ++ ++ *) Tighten handling of the ChangeCipherSpec (CCS) message: reject ++ early CCS messages during renegotiation. (Note that because ++ renegotiation is encrypted, this early CCS was not exploitable.) ++ [Emilia Käsper] ++ ++ *) Tighten client-side session ticket handling during renegotiation: ++ ensure that the client only accepts a session ticket if the server sends ++ the extension anew in the ServerHello. Previously, a TLS client would ++ reuse the old extension state and thus accept a session ticket if one was ++ announced in the initial ServerHello. ++ ++ Similarly, ensure that the client requires a session ticket if one ++ was advertised in the ServerHello. Previously, a TLS client would ++ ignore a missing NewSessionTicket message. ++ [Emilia Käsper] ++ ++ Changes between 1.0.1i and 1.0.1j [15 Oct 2014] ++ ++ *) SRTP Memory Leak. ++ ++ A flaw in the DTLS SRTP extension parsing code allows an attacker, who ++ sends a carefully crafted handshake message, to cause OpenSSL to fail ++ to free up to 64k of memory causing a memory leak. This could be ++ exploited in a Denial Of Service attack. This issue affects OpenSSL ++ 1.0.1 server implementations for both SSL/TLS and DTLS regardless of ++ whether SRTP is used or configured. Implementations of OpenSSL that ++ have been compiled with OPENSSL_NO_SRTP defined are not affected. ++ ++ The fix was developed by the OpenSSL team. ++ (CVE-2014-3513) ++ [OpenSSL team] ++ ++ *) Session Ticket Memory Leak. ++ ++ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the ++ integrity of that ticket is first verified. In the event of a session ++ ticket integrity check failing, OpenSSL will fail to free memory ++ causing a memory leak. By sending a large number of invalid session ++ tickets an attacker could exploit this issue in a Denial Of Service ++ attack. ++ (CVE-2014-3567) ++ [Steve Henson] ++ ++ *) Build option no-ssl3 is incomplete. ++ ++ When OpenSSL is configured with "no-ssl3" as a build option, servers ++ could accept and complete a SSL 3.0 handshake, and clients could be ++ configured to send them. ++ (CVE-2014-3568) ++ [Akamai and the OpenSSL team] ++ ++ *) Add support for TLS_FALLBACK_SCSV. ++ Client applications doing fallback retries should call ++ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). ++ (CVE-2014-3566) ++ [Adam Langley, Bodo Moeller] ++ ++ *) Add additional DigestInfo checks. *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***