From owner-svn-doc-head@FreeBSD.ORG Tue Jan 14 19:57:52 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0D5787D; Tue, 14 Jan 2014 19:57:52 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E89841B68; Tue, 14 Jan 2014 19:57:51 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id s0EJvp1t028058; Tue, 14 Jan 2014 19:57:51 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id s0EJvnlR028042; Tue, 14 Jan 2014 19:57:49 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201401141957.s0EJvnlR028042@svn.freebsd.org> From: Xin LI Date: Tue, 14 Jan 2014 19:57:49 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43519 - in head/share: security/advisories security/patches/EN-14:01 security/patches/EN-14:02 security/patches/SA-14:01 security/patches/SA-14:02 security/patches/SA-14:03 security/pa... X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 19:57:52 -0000 Author: delphij Date: Tue Jan 14 19:57:49 2014 New Revision: 43519 URL: http://svnweb.freebsd.org/changeset/doc/43519 Log: Add 4 latest advisories and 2 latest errata notices: Fix bsnmpd remote denial of service vulnerability. [SA-14:01] Fix ntpd distributed reflection Denial of Service vulnerability. [SA-14:02] Fix OpenSSL multiple vulnerabilities. [SA-14:03] Fix BIND remote denial of service vulnerability. [SA-14:04] Disable hardware RNGs by default. [EN-14:01] Fix incorrect coalescing of stack entry with mmap. [EN-14:02] Added: head/share/security/advisories/FreeBSD-EN-14:01.random.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-14:02.mmap.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:02.ntpd.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:03.openssl.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:04.bind.asc (contents, props changed) head/share/security/patches/EN-14:01/ head/share/security/patches/EN-14:01/random-8.3.patch (contents, props changed) head/share/security/patches/EN-14:01/random-8.3.patch.asc (contents, props changed) head/share/security/patches/EN-14:01/random-9.1.patch (contents, props changed) head/share/security/patches/EN-14:01/random-9.1.patch.asc (contents, props changed) head/share/security/patches/EN-14:01/random-9.2-8.4.patch (contents, props changed) head/share/security/patches/EN-14:01/random-9.2-8.4.patch.asc (contents, props changed) head/share/security/patches/EN-14:02/ head/share/security/patches/EN-14:02/mmap.patch (contents, props changed) head/share/security/patches/EN-14:02/mmap.patch.asc (contents, props changed) head/share/security/patches/SA-14:01/ head/share/security/patches/SA-14:01/bsnmpd.patch (contents, props changed) head/share/security/patches/SA-14:01/bsnmpd.patch.asc (contents, props changed) head/share/security/patches/SA-14:02/ head/share/security/patches/SA-14:02/ntpd.patch (contents, props changed) head/share/security/patches/SA-14:02/ntpd.patch.asc (contents, props changed) head/share/security/patches/SA-14:03/ head/share/security/patches/SA-14:03/openssl.patch (contents, props changed) head/share/security/patches/SA-14:03/openssl.patch.asc (contents, props changed) head/share/security/patches/SA-14:04/ head/share/security/patches/SA-14:04/bind-release.patch (contents, props changed) head/share/security/patches/SA-14:04/bind-release.patch.asc (contents, props changed) head/share/security/patches/SA-14:04/bind-stable-9.patch (contents, props changed) head/share/security/patches/SA-14:04/bind-stable-9.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-14:01.random.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-14:01.random.asc Tue Jan 14 19:57:49 2014 (r43519) @@ -0,0 +1,142 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:01.random Errata Notice + The FreeBSD Project + +Topic: /dev/random should not make direct usage of hardware RNG + +Category: core +Module: random +Announced: 2014-01-14 +Affects: All versions of FreeBSD prior to 10.0-BETA1 +Corrected: 2014-01-14 19:27:42 UTC (stable/9, 9.2-STABLE) + 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) + 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) + 2014-01-14 19:27:42 UTC (stable/8, 8.4-STABLE) + 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) + 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The random(4) and urandom(4) devices return an endless supply of pseudo-random +bytes when read. Cryptographic algorithms often depend on the secrecy of these +pseudo-random values for security. + +Yarrow is a secure pseudo-random number generator that combines entropy from +several entropy sources, mitigating a possible attack when someone could +predict the output when they are able to intercept one or more of the +entropy sources + +II. Problem Description + +When a hardware RNG exists, the FreeBSD random(4) and urandom(4) devices +would use their output directly. + +III. Impact + +Someone who has control over these hardware RNGs would be able to +predicate the output from random(4) and urandom(4) devices and may be able +to reveal unique keys that are used to encrypt data. + +IV. Workaround + +Disable the hardware RNGs by adding the following settings to /boot/loader.conf +and reboot the system: + +hw.nehemiah_rng_enable=0 +hw.ivy_rng_enable=0 + +V. Solution + +Hardware RNGs would be disabled by default with this errata notice. They +can be re-enabled by setting the corresponding loader tunables to non-zero +value. + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.2 and 8.4] +# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.2-8.4.patch +# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.2-8.4.patch.asc +# gpg --verify random-9.2-8.4.patch.asc + +[FreeBSD 9.1] +# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.1.patch +# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.1.patch.asc +# gpg --verify random-9.1.patch.asc + +[FreeBSD 8.3] +# fetch http://security.FreeBSD.org/patches/EN-14:01/random-8.3.patch +# fetch http://security.FreeBSD.org/patches/EN-14:01/random-8.3.patch.asc +# gpg --verify random-8.3.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r260644 +releng/8.3/ r260647 +releng/8.4/ r260647 +stable/9/ r260644 +releng/9.1/ r260647 +releng/9.2/ r260647 +- ------------------------------------------------------------------------- + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:01.random.asc + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZSoAAoJEO1n7NZdz2rnZcgP/3ITOg59t4PmOg2vUrlMsf35 +jVDZojqeu+XgDepYi37HJVB6pHSWusYoI59YP6O2N1n15W34Bp91Vcthofyr+jgx +7Guz+DXOqZy1yxGMSGkAl0hIrksszqp5kAADy4f1NMkFmvc2+8dXW1xmxYpDHrkG +d/alEeK0LuFgWXYnnrea3x/aWqEVVR+/YhCbk8FTD01Q4zqtfacIDfNL+gLf4Mhx +gNO1HSHmvS4GEF1gawtHzY4i6rGX9e4LgxKSEKSMUXfl1WUfnD5f62z9FB1UN1Js +EfVniP2ZN2ojAzoVWfiX5WDhpMA/KZpdTSLF+zOM1/Tr+7+N7WTYftL6nHy/HSj8 +LmsIZnSE4F7F2hFlZu7PPwGzaIj/rYk5tRzw3nTIoIwVoLbvbevzCrl0rIocq2CK +Sm5WV2qvMuWB+ZK2ZuzCIxAj6/fuLbUIBHmHd2VFfxWXcSwoK/cW3pFPMDyHKtJJ +ccocT7kXeHHtnSqzvSN1j1XFZsWdojbYU7HSU8QmiilG3ESvgrzZAKh7V+hC/aF/ +TE0Xhaip8X/sOt1NnjHGs8XzA3w7wUukssz2V7gRdarSS7c/+mU23pajLknQ4eiB +l3g8z/iX4jPuL8e0sn9GUCXVtTZIXWGl9hSilWeYk6tEihhlf/gVhY6ldCwSoZjr +U6gPf7bQn/NzE7wSUaQD +=viar +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-14:02.mmap.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-14:02.mmap.asc Tue Jan 14 19:57:49 2014 (r43519) @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:02.mmap Errata Notice + The FreeBSD Project + +Topic: mmap should not coalesce stack entry + +Category: core +Module: kernel +Announced: 2014-01-14 +Credits: Konstantin Belousov +Affects: All supported versions of FreeBSD. +Corrected: 2013-12-30 08:57:54 UTC (stable/10, 10.0-PRERELEASE) + 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC4) + 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC3-p1) + 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC2-p1) + 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC1-p1) + 2013-12-30 09:04:06 UTC (stable/9, 9.2-STABLE) + 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) + 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) + 2014-01-14 19:33:28 UTC (stable/8, 8.4-STABLE) + 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) + 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The FreeBSD virtual memory system allows growing stack by mapping anonymous +memory region on top of a stack via mmap(2) system call with MAP_STACK bit +enabled in flags parameter. + +II. Problem Description + +The FreeBSD virtual memory system tries to coalesce adjacent memory regions +into one single object when possible. When growing the stack via mmap(2), it +will also try to coalesce the newly allocated memory into the existing object. +This would result in a failed assertion later in vm_map_stack(), which expects +that a new object is returned. + +III. Impact + +The system will panic when this happens. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-14:02/mmap.patch +# fetch http://security.FreeBSD.org/patches/EN-14:02/mmap.patch.asc +# gpg --verify mmap.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r260645 +releng/8.3/ r260647 +releng/8.4/ r260647 +stable/9/ r260082 +releng/9.1/ r260647 +releng/9.2/ r260647 +stable/10/ r260081 +releng/10.0/ r260122 +- ------------------------------------------------------------------------- + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:02.mmap.asc + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZSuAAoJEO1n7NZdz2rnsPoQAIFs/URebviZjkMpYJBTahwe +Lr50uJSZIlW2nMvi+urLJAB15fJm/WHDdHqp6+WHh5jjCozb45CoIxDFnP5UB4q8 +oclsQtKrt4R1dBDEa3RZQoJEm6DIk1YhfAfUtJMhDpROlvWCbBMzZWJbVQec5j3E +iyhY1FIl/BD4KWFw/hDhJX5j4HQWA/oZDagx5WZFMsFapq5rOXkC/fq3YHkTJBeW +7YEvAyTuZoj9zBVJ28cEYr7+ULtJMphBdTEzAhFZSEegsM+qyMafTf2c54MdtWR0 +pSgoh9i+cSXj444e4eeqLp6LwapW5YGIrKpAmBUwTECBg5F5915i2h8ddCnmJJSM +4Wq7bXJU6PGzFXTDUsAw9HB2HcCMU2EvVNhtM3wp7dSzojLpvrgEoRZKwanu32r1 +cuN/awHUGA1fzoUkxMygzT5B44IX+9gyT8lJ4N+PfKGnSO00WY41XkLheDmpgf2b +euDrzTSwbupEp70lT45CW6DUlqPXpw0Fn5vyNYBvoaAXineqyvwMkQ6YZwoNmfiU +xv2zjY40RkOR8EJKi8L1moBQsfh/i6rtVQhDIHmAU/1VaYBE4zVXS5BYAlUaUJgw +3rc5ho+F2BB+YV+HeaWszjW+NVhiIswpccw4Js7O2HQUA9M2KEq2+DXRtNdEa8/j +miG/hWqsuoWjAcrQKjKw +=rOvi +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc Tue Jan 14 19:57:49 2014 (r43519) @@ -0,0 +1,141 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:01.bsnmpd Security Advisory + The FreeBSD Project + +Topic: bsnmpd remote denial of service vulnerability + +Category: contrib +Module: bsnmp +Announced: 2014-01-14 +Credits: Dirk Meyer +Affects: All supported versions of FreeBSD. +Corrected: 2014-01-14 19:02:14 UTC (stable/10, 10.0-PRERELEASE) + 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RELEASE) + 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC5-p1) + 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC4-p1) + 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC3-p1) + 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC2-p1) + 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC1-p1) + 2014-01-14 19:17:20 UTC (stable/9, 9.2-STABLE) + 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) + 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) + 2014-01-14 19:17:20 UTC (stable/8, 8.4-STABLE) + 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) + 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) +CVE Name: CVE-2014-1452 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The bsnmpd is a simple and extensible SNMP daemon serves the Internet SNMP +(Simple Network Management Protocol). + +II. Problem Description + +The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it +has received a specifically crafted GETBULK PDU request. + +III. Impact + +This issue could be exploited to execute arbitrary code in the context of +the service daemon, or crash the service daemon, causing a denial-of-service. + +IV. Workaround + +No workaround is available, but systems not running bsnmpd(8) are not +vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch +# fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch.asc +# gpg --verify bsnmpd.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in . + +Restart the bsnmpd(8) daemons, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r260642 +releng/8.3/ r260647 +releng/8.4/ r260647 +stable/9/ r260642 +releng/9.1/ r260647 +releng/9.2/ r260647 +stable/10/ r260638 +releng/10.0/ r260640 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZS6AAoJEO1n7NZdz2rnDXwP/1iQmuO8VLjZoD3LMpiHyA/i +YgwjX5x9XT2MyVrRmu+nHaCG3ZDC4/IV72/jCzV8udQJ1RF6Aswhuk6mXI7oatol +OYF27JnRVAJQjAvXw3zMsp4hLv631TvgO1Az1vK7f1pX8bDC/eBTaiCH7I6QBYGS +E4Fsi2MwOWIRyglTjlFSL8Wb2yQmzkKCx/EVFF/6mRC7l3a9pkHf5VKQtut1KYFu +5QF5cG5anur4daP4w45yWsl0qkRDO5mJdpD+S3NtzydluWzz/Dk/0laS5wB+LLzV +cXC5/GR/acQhO+MvDIDT4Emra2OXzsheEahOJhLKHsBF8pHBi5IldkVwQmme76/g +aR1gLSFJ5LYcpAgBQgeWKXXCAol5zNRCR8v8IBnV2+rYRSrIdl5lstgVmla++xJD ++bC7PbTqcLlyFGrMEvd/mAvX1PVa9BVYtaxXA5QZq5EHP7nsKotcAk7/kouVfmao +Gdxlt7YjRic6D/WqF8RFiQv9ezpbEnMQ1BwOCSUEJasXlyxJXYA6vva7tyM3OmyD +c2I9JLeV8aCUgIf3s+HoGcZhz01kmu9REQ/OEDtiN8kX94WOzpectf8V5g+JnxRd +HoOfcvrChohL4nla+3RvG1LJo5KD5N09yHnV2y3LjxTdKu9Hw4ATzFwmPmEUqUfG +eF12aO4PVp42wYWNHtGe +=xZTc +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:02.ntpd.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:02.ntpd.asc Tue Jan 14 19:57:49 2014 (r43519) @@ -0,0 +1,167 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:02.ntpd Security Advisory + The FreeBSD Project + +Topic: ntpd distributed reflection Denial of Service vulnerability + +Category: contrib +Module: ntpd +Announced: 2014-01-14 +Affects: All supported versions of FreeBSD. +Corrected: 2014-01-14 19:04:33 UTC (stable/10, 10.0-PRERELEASE) + 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RELEASE) + 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC5-p1) + 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC4-p1) + 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC3-p1) + 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC2-p1) + 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC1-p1) + 2014-01-14 19:20:41 UTC (stable/9, 9.2-STABLE) + 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) + 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) + 2014-01-14 19:20:41 UTC (stable/8, 8.4-STABLE) + 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) + 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) +CVE Name: CVE-2013-5211 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) +used to synchronize the time of a computer system to a reference time +source. + +II. Problem Description + +The ntpd(8) daemon supports a query 'monlist' which provides a history of +recent NTP clients without any authentication. + +III. Impact + +An attacker can send 'monlist' queries and use that as an amplification of +a reflection attack. + +IV. Workaround + +The administrator can implement one of the following possible workarounds +to mitigate the attack: + +1) Restrict access to ntpd(8). This can be done by adding the following +lines to /etc/ntp.conf: + +restrict -4 default nomodify nopeer noquery notrap +restrict -6 default nomodify nopeer noquery notrap +restrict 127.0.0.1 +restrict -6 ::1 +restrict 127.127.1.0 + +And restart the ntpd(8) daemon. Time service is not affected and the +administrator can still perform queries from local host. + +2) Use IP based restrictions in ntpd(8) itself or in IP firewalls to +restrict which systems can access ntpd(8). + +3) Replace the base system ntpd(8) with net/ntp-devel (version 4.2.7p76 or +newer) + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch +# fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch.asc +# gpg --verify ntpd.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in . + +Restart the ntpd(8) daemon, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Note that the patch would disable monitoring features of ntpd(8) daemon +by default. If the feature is desirable, the administrator can choose +to enable it and firewall access to ntpd(8) service. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r260641 +releng/8.3/ r260647 +releng/8.4/ r260647 +stable/9/ r260641 +releng/9.1/ r260647 +releng/9.2/ r260647 +stable/10/ r260639 +releng/10.0/ r260641 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZTLAAoJEO1n7NZdz2rnn7YP/2DcBtR4LAlMLqa9t8WsFVrD +zrfmitYv5xZ6TUGURfQ3mhF4Xv+vSaYt5AWphBjo/Um+dZLTrX3NXJyjLWenCFZ1 +vUgoeT4czdh/sWXBO+BdahswttJ6uPO0ZPeW/TpczHMrfG++r6FZtcavYj1gWUPX +rQUEh3IRT5MzzcdiIdQFOpi6OeOP7hem5pNOqYwjyy4L4wrgIUetaMpvqXgi2Wa+ +R2vqQNpFAPxKkMkbohLEPRmEK9dXGXejQ7EHFK5jzxInyg32WGFPkJ46bLw3bEsB +sIoh+sxQ3J9mxyaykhX6T7U7PUkzBaNSs62bQE5H8695E30obnZqtfon6qBP5UCT +/kF1+42RIQIPJUFS22NXaUJVOkpd2zyVhwLxgCHg96PHwd1VAC0bnuB4CQt8lN2C +vcOsFcq6CUpMuteURBeiETb0OGWTTT3gyX4T7N4kRKptvmEVUKxZPnmfJCwNHM2I +TzM2HbHaBv9CMIy5X4iDQxLH3w3tSh+IHU6m9cN5rd6JDTa5DQEuRkhaeVbCGHRt +EcSHvUCr+llacITA2rkm1/KPcP97nGgbbM2QbbUVZ/vkdEcImPfrBzrBbaoBzf5p +FTplhJ/4bfF0/Kgt5GTNgQXqtIuEQOs+ljNu2HW+cAfX2Hizlo7jjfMxS0y7/fY2 +hBdg8zuXs/rBI2LKUcP6 +=7q6W +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:03.openssl.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:03.openssl.asc Tue Jan 14 19:57:49 2014 (r43519) @@ -0,0 +1,135 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:03.openssl Security Advisory + The FreeBSD Project + +Topic: OpenSSL multiple vulnerabilities + +Category: contrib +Module: openssl +Announced: 2014-01-14 +Affects: FreeBSD 10.0 prior to 10.0-RC5 +Corrected: 2014-01-07 20:04:41 UTC (stable/10, 10.0-PRERELEASE) + 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC5) + 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC4-p1) + 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC3-p1) + 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC2-p1) + 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC1-p1) +CVE Name: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) +and Transport Layer Security (TLS v1) protocols as well as a full-strength +general purpose cryptography library. + +II. Problem Description + +A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL +pointer exception. [CVE-2013-4353] + +A flaw in DTLS handling can cause an application using OpenSSL and DTLS to +crash. [CVE-2013-6450] + +A flaw in OpenSSL can cause an application using OpenSSL to crash when using +TLS version 1.2. [CVE-2013-6449] + +III. Impact + +An attacker can send a specifically crafted packet that could cause an OpenSSL +enabled application to crash, resulting in a Denial of Service. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch +# fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in . + +Restart all deamons using the library, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r260404 +releng/10.0/ r260405 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZTSAAoJEO1n7NZdz2rnHboP/Ryb4a9ENJ7J/S00E8V1YToh +hihrCKssMl6GVltS4oeyAmAW+mDx3DZy+RmAEhgjyAX4gpAxcY/g665j5BMtWAtV +LLJTI9D6ynO7+2y8CeD3W7tk28hNtBPWSV+cGi7USQMKijs6euPocgTU7TnAuF/e +/jcDTn8Sx/Sq0d3ecTWFBOcPHiq5sm/3pW5B1RVxY9DL+zhQ7T/Rb6pgfp6trssM +p8dklzoBReHqs1iPUC4RyhWXOoQoq5VX500b9SHh2X/7eBSq1ab76VF3x+9VOpjj +VRxL9sdkmp+iaVfMHxms3vCLSDlmpgYpq5SftL3jgkequPCpU6NFQGFQKw2crdL0 +NY7dDPjMuvDzzdG7BZtt1mjpRMMMGmZ7fK0myP0+a3YbXEEZeAGT6k07er/xkGCr +uTWyPNM4g3Ulwkfnz60TbFrdMdiCJbRVC9xxOkGEALe882v0WWGPhx9IVbT3dGVw +KGFOXM+IqF55JuaHQ0u/B4wrjBfgBSgOt90TDyMJ5rPjiKG9wyUWnn7QziAVJQ0M +0H/82/2cxNX5+efWNi7xhss2fs1zcU3kiyr135mqamgOQyPG8jFOF7RhdpeGfzVk +ollQG+y1uwVTAWhmVb4MSaAuJw8ixVuap73Rbyug+MuKRLgR2jSxHFiBeiHLA1eG +1+DWJPX0+/zoNakLiw+r +=YOCY +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:04.bind.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:04.bind.asc Tue Jan 14 19:57:49 2014 (r43519) @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:04.bind Security Advisory + The FreeBSD Project + +Topic: BIND remote denial of service vulnerability + +Category: contrib +Module: bind +Announced: 2014-01-14 +Credits: ISC +Affects: FreeBSD 8.x and FreeBSD 9.x +Corrected: 2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE) + 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) + 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) + 2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE) + 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) + 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) +CVE Name: CVE-2014-0591 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. + +II. Problem Description + +Because of a defect in handling queries for NSEC3-signed zones, BIND can +crash with an "INSIST" failure in name.c when processing queries possessing +certain properties. This issue only affects authoritative nameservers with +at least one NSEC3-signed zone. Recursive-only servers are not at risk. + +III. Impact + +An attacker who can send a specially crafted query could cause named(8) +to crash, resulting in a denial of service. + +IV. Workaround + +No workaround is available, but systems not running authoritative DNS service +with at least one NSEC3-signed zone using named(8) are not vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE] +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc +# gpg --verify bind-release.patch.asc + +[FreeBSD 9.2-STABLE] +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc +# gpg --verify bind-stable-9.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable daemons, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r260646 +releng/8.3/ r260647 +releng/8.4/ r260647 +stable/9/ r260646 +releng/9.1/ r260647 +releng/9.2/ r260647 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG +ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO +XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg +ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG +9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5 +fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua +OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb +zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag +Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm +067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq +7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO +UWWemqWuz3lAZuORQ9KX +=OQzQ +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-14:01/random-8.3.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:01/random-8.3.patch Tue Jan 14 19:57:49 2014 (r43519) @@ -0,0 +1,27 @@ +Index: sys/dev/random/probe.c +=================================================================== +--- sys/dev/random/probe.c (revision 260523) ++++ sys/dev/random/probe.c (working copy) +@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$"); + + #include + #include ++#include ++#include + #include + #include + #include +@@ -57,7 +59,12 @@ random_ident_hardware(struct random_systat *systat + /* Then go looking for hardware */ + #if defined(__i386__) && !defined(PC98) + if (via_feature_rng & VIA_HAS_RNG) { +- *systat = random_nehemiah; ++ int enable; ++ ++ enable = 0; ++ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); ++ if (enable) ++ *systat = random_nehemiah; + } + #endif + } Added: head/share/security/patches/EN-14:01/random-8.3.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:01/random-8.3.patch.asc Tue Jan 14 19:57:49 2014 (r43519) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnCokP/16qEQ9ziJdRpMQ8YMbr19AC +GcUpad5oEXoUu7qvOykIFj1ATcXE71jE48ypyeVwpme/szQMUvWAjPp9P+lYb78l +ByVukT7Ajs7fcO8uq5f4T0MPN/zG00qNsSpGtlcM68mm4aYLnlfvYjv8Da6GPALy +dd5FE1YxZDnTT5aBpjsGVoj864I6PwehXhbH3FmehOK/vnpUYrgHKTzY9zaUZ5+t +AGw/fzRsOHislwC8rw0AyC6Ky7Du2tQKjur73PaUXz329EZzFoK8J2eHcRExVWvJ +A2zgwI7Y6gZUyJFhX8qcQs4JWxxPBoBQp+aKLkJXhW9U/GsEAVD3KaFAwZfjhOVm +l/fg5XUMPpifGSsQKnoOFGjO0597JBOD5oznwQIg+b780JpsZ4Hmk7XJhXq9+s2G +qBKIogXJG6mKBnx3qt0nlkd3UjS7QSnPMSmplCOoEUORwCMRfLFM0qb+P1d8ycGL +mP7f3ivEg/rUQjhBRbCQyi/+CF6qhVHm1AdA081RSEVlPuDIRAywvcfjKnnOuhbG +yf5AVIpwHwkoLn7qugECH4muTIPiHPFTgWK3qhI3oZfZDOCFZwi9Ognb6eg8qMtP +aEPmTMujVERBc3FXEnjB5VZZSzOwJLm/NI0jW5y3XY/VQhJSaE1hM9qYywqgviXz +g36p0LxezweK/mmxttVA +=jEbX +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-14:01/random-9.1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:01/random-9.1.patch Tue Jan 14 19:57:49 2014 (r43519) @@ -0,0 +1,27 @@ +Index: sys/dev/random/probe.c +=================================================================== +--- sys/dev/random/probe.c (revision 260523) ++++ sys/dev/random/probe.c (working copy) +@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$"); + + #include + #include ++#include ++#include + #include + #include + #include +@@ -57,7 +59,12 @@ random_ident_hardware(struct random_systat *systat + /* Then go looking for hardware */ + #if defined(__amd64__) || (defined(__i386__) && !defined(PC98)) + if (via_feature_rng & VIA_HAS_RNG) { +- *systat = random_nehemiah; ++ int enable; ++ ++ enable = 0; ++ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); ++ if (enable) ++ *systat = random_nehemiah; + } + #endif + } Added: head/share/security/patches/EN-14:01/random-9.1.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:01/random-9.1.patch.asc Tue Jan 14 19:57:49 2014 (r43519) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnhsAQALF5Gk7QtodIM06xOd0IAcUk +6y8N6s3gHxYhAyv5Af+y2yFTikfYu/yMYxIDbtgszcS+aB2y9b2+aVKwcNUkpiEr +mle+RAVGXPBQ9V7ieFLvMn7HC4PW1uPkFsiqOzu3KXACr2onlq1Jbbw4z6FeAyfa +2PvMTOFZrVNrHmkrjTKBwj+/jYcdHejb7OA0ckbiVgIXBRxftzVjKkVUTw+2ewZy +l73s1/wPRYlqESDOGVNpO/mm1W0zbcllfgxcbBPk3ukSuatNQVIVXEZRfb7Ti2FK +2CXTKbmaqrKPPxzpEkgbPXeOQ7kJ4th93gCbJV1i7uxyHvUo1Kodph0vKBKEiZmt +l+rwmqXD+Zm5JvoBDVXUsYi3DO3+Wi5rLMkzZFFzwsYJbHed+8TD4fLWTti6kLEs +CBQnUceBy4BKUTBj3STEjBBvFdd6Ri6Vdo0kN6Bjr/DuXqzLNyI/aLu6LmNgC3Fp +c3/P4Xp1fTYFVEpjKzc6kG2fUDZVwN+XEDFy6BuD/Hgj2MtmJ4JY4iKWu/P/MlBq +qI9K40rcMx4uMi9ffOC3v6uUHvqmK00FANz8GDIrpqeZEyMThd7yV8gmnBPRp47k +H1IbOqGB1ovaZS92wgiPKxU6SMjP9z7klGaWN+dr7NkGB3/54MwoqyPOKRpaVMcI +dYR/h4NDtwDgJqsuq+rH +=FCsi +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-14:01/random-9.2-8.4.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:01/random-9.2-8.4.patch Tue Jan 14 19:57:49 2014 (r43519) @@ -0,0 +1,22 @@ +Index: sys/dev/random/probe.c +=================================================================== +--- sys/dev/random/probe.c (revision 259661) ++++ sys/dev/random/probe.c (working copy) +@@ -73,7 +73,7 @@ + if (via_feature_rng & VIA_HAS_RNG) { + int enable; + +- enable = 1; ++ enable = 0; + TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); + if (enable) + *systat = random_nehemiah; +@@ -83,7 +83,7 @@ + if (cpu_feature2 & CPUID2_RDRAND) { + int enable; + +- enable = 1; ++ enable = 0; + TUNABLE_INT_FETCH("hw.ivy_rng_enable", &enable); + if (enable) + *systat = random_ivy; Added: head/share/security/patches/EN-14:01/random-9.2-8.4.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:01/random-9.2-8.4.patch.asc Tue Jan 14 19:57:49 2014 (r43519) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnODkQANga1UgaW4k2SA8SKLmGtRsO +DWo/fqJ12DneoN0cxxgqgUFzB90Cdj1Qrece2Oj6lrD/A8wNfHzB78CE/yCqlEwg *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***