From owner-freebsd-announce@freebsd.org Wed Sep 2 17:45:53 2020 Return-Path: Delivered-To: freebsd-announce@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6B8973DE678 for ; Wed, 2 Sep 2020 17:45:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BhWZ920pNz3bBs; Wed, 2 Sep 2020 17:45:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1599068753; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=XfaQ8J8+wfq5usNpWFUz4NucE+j6kJxpfLuRDFHBB+k=; b=hdIZ96o9gqK5fAwyYWDEoObIsv0xgQI8Er7MLys39M+fKQMKcVf21pD+aGXciZRQ+1/qJK Rv6SX64y7oavjsYcRRuAklB/Yp4sejPsdwbidvuRpBH9SCUsHB9YOx4Hf4F1Cbjxc8MQt4 YToSYej+7V4DvTQp9oQojKscTsZxVd4qfw1BigW9SSRHe1pryzmP2/JqBc2APoJWd61wZG mbtlrhneqTrUOsf4J8OpfMX+1ayiPa3Nto/yYk8LGdGLIgTkzginkjc1HjOQGH9yrAn93r ccCW2S1LdyDJ11J8OaWX+88fDZVJi6jJODhB5+2gQoQVkZIFFSoNRN86WcHVnw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 3B04BC848; Wed, 2 Sep 2020 17:45:53 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200902174553.3B04BC848@freefall.freebsd.org> Date: Wed, 2 Sep 2020 17:45:53 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1599068753; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=XfaQ8J8+wfq5usNpWFUz4NucE+j6kJxpfLuRDFHBB+k=; b=J3QffFK05l9FOHt4uNMKIVvPBvBTVkDYRGgxde7mccDjZT2wweXKrj8/sdUGUPB85CcLF8 iUFiXPR+onug1s16WZ0IxN5hXihGSokXC+sWwLnXHyr8uRX63GxOeRxJ9ZG9p7D4OSCUo3 RYK2uR2pQf5jebj0VpbKfFFG/lM/2p2UqSNpB9v7K1aHyQB8d3uNvjewDADi2lXbtWEsph +Vqif3jnBDnFFXMHI71yq+tPLe+ThlgCUeq9nW7ZP5zVYRkgaVYdujb/Dbo06y/mok23c2 RqKB/bjtc2NedOMXTFNwcPycXoCf70DW0+HkAmy0v5TEB4lPnML4sKG/M/e1QA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1599068753; a=rsa-sha256; cv=none; b=BUOeh9ARIq8lmGfiqgNRkL2aNzpUhIjr6C/3WfaI57zTdTJafwNldJI35dgZUp7S1Qk1dQ 0llQsHYBQ6B2PrxSglJ3NmXQeJm5RZwDb1JY+PDsNCVifmop6gDtvSxudblMLmiueYHsRR Fk7MEcV5NuqZCnnHH5PwcAYJ0qGCaSSkwZS6/xIJiT13cmGz8Jo+EpSGKl/X7yJLk//d+a abm9tk3RO2rI3/NjJOHET0goVnyjumBJrUbYUQGL5QnGmmrm9KYerG036/mc87v2/04X6S HyaKahga9ZuokX31yNr+FkVRkBUuwgFSHO3i7o6M46ovD/YlkQIJDcCszHrJQQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:24.ipv6 X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.33 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2020 17:45:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:24.ipv6 Security Advisory The FreeBSD Project Topic: IPv6 Hop-by-Hop options use-after-free bug Category: core Module: kernel Announced: 2020-09-02 Affects: FreeBSD 11.3 Corrected: 2020-05-07 01:28:59 UTC (stable/11, 11.4-PRERELEASE) 2020-09-02 16:23:15 UTC (releng/11.3, 11.3-RELEASE-p13) CVE Name: CVE-2020-7462 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 is a network layer supporting Hop-by-Hop options, which can be sent by applications via the socket API. The memory management for packet handling is done using mbufs. II. Problem Description Due to improper mbuf handling in the kernel, a use-after-free bug might be triggered by sending IPv6 Hop-by-Hop options over the loopback interface. III. Impact Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:24/ipv6.patch # fetch https://security.FreeBSD.org/patches/SA-20:24/ipv6.patch.asc # gpg --verify ipv6.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/11/ r360733 releng/11.3/ r365255 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLJYxAAotGAWrawa3gRK8gVpEIJiYknR9bODjDojm7KovlkuKeYAkyQ92/Ii23U U6tMXSPDYQFyscOdrGq4yEjxRDLLkGQGynQpioinDn8POKX7BKpy+PFFdv1mmBef h/WpgmlPdhymYisaImgVyGAxU81auzpFB6mArzFDCdHavTd7jVD2lJwcpdzeOk// NHOsj8C4VYJs0XcYrNa4CEWfH/D/uNO8u2b3QUfKQSOdfIfaDv22k2b96YKm+zcr xS7Q1jDv7QBTQou7KNOfoPi0Gclp8Q9VReP2nY/hB5TmJjR3irz+Z6UcGfiyDGrL XRB7oP23jIUmBbsINUN06FIhAPGF9/7zcOOoV1YOdwvmbLM0/W4c+mERZ16gw6+N MzCLDOeiyKAUr+pQzcl6lORxr31eB8400l6nRJwmCiWx4nHwyHPIl1RtfvsdNqfE /OBVEalxsCrzStfW4ME5RziPo9Y8DrajPf7+JY/4CIV3v/dJAiGi3+qs9Zn8enar WCR/8+o4xbT+d1sGTG1W3Qjh9a28jxqEusLjdehDy8PTk9OnIfPRuxj+kvot3Wo0 lWdeSIo8YZPYn7hG9N19k6aDlljM1fgkBmWj1uELtCeIE7WM5tHGMBuaS0cTt1jL s2g01qgkgW2a6cChdm3oNfUKE5KpD3/hU63/jEA6QyJJQQqXlOs= =kFlz -----END PGP SIGNATURE-----