Date: Wed, 9 Jan 2019 19:17:55 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52756 - in head/share: security/advisories security/patches/EN-19:01 security/patches/EN-19:02 security/patches/EN-19:03 security/patches/EN-19:04 security/patches/EN-19:05 xml Message-ID: <201901091917.x09JHtSB026034@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon (src,ports committer) Date: Wed Jan 9 19:17:54 2019 New Revision: 52756 URL: https://svnweb.freebsd.org/changeset/doc/52756 Log: Add EN-19:01 through EN-19:05. Approved by: so Added: head/share/security/advisories/FreeBSD-EN-19:01.cc_cubic.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-19:02.tcp.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-19:03.sqlite.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-19:04.tzdata.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-19:05.kqueue.asc (contents, props changed) head/share/security/patches/EN-19:01/ head/share/security/patches/EN-19:01/cc_cubic.patch (contents, props changed) head/share/security/patches/EN-19:01/cc_cubic.patch.asc (contents, props changed) head/share/security/patches/EN-19:02/ head/share/security/patches/EN-19:02/tcp.patch (contents, props changed) head/share/security/patches/EN-19:02/tcp.patch.asc (contents, props changed) head/share/security/patches/EN-19:03/ head/share/security/patches/EN-19:03/sqlite-11.patch (contents, props changed) head/share/security/patches/EN-19:03/sqlite-11.patch.asc (contents, props changed) head/share/security/patches/EN-19:03/sqlite-12.patch (contents, props changed) head/share/security/patches/EN-19:03/sqlite-12.patch.asc (contents, props changed) head/share/security/patches/EN-19:04/ head/share/security/patches/EN-19:04/tzdata-2018i.patch (contents, props changed) head/share/security/patches/EN-19:04/tzdata-2018i.patch.asc (contents, props changed) head/share/security/patches/EN-19:05/ head/share/security/patches/EN-19:05/kqueue.patch (contents, props changed) head/share/security/patches/EN-19:05/kqueue.patch.asc (contents, props changed) Modified: head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-19:01.cc_cubic.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-19:01.cc_cubic.asc Wed Jan 9 19:17:54 2019 (r52756) @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-19:01.cc_cubic Errata Notice + The FreeBSD Project + +Topic: Connection stalls with CUBIC congestion control + +Category: core +Module: tcp +Announced: 2019-01-09 +Credits: Matt Garber, Hiren Panchasara +Affects: FreeBSD 12.0 +Corrected: 2018-12-17 21:46:42 UTC (stable/12, 12.0-STABLE) + 2019-01-09 18:38:35 UTC (releng/12.0, 12.0-RELEASE-p2) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +CUBIC is a modern congestion control algorithm for the Transmission Control +Protocol (TCP), which along with its predecessor BIC TCP is specifically +optimized for high bandwidth, high latency networks. It is widely +implemented across a variety of operating systems, and is the default TCP +implementation or enabled by default in recent versions of Linux and +Microsoft Windows. CUBIC is available as an alternate congestion control +algorithm since FreeBSD 9.0 using the cc_cubic module. + +II. Problem Description + +Changes to the cc_cubic module in FreeBSD 12.0 can cause network stuttering +or connection stalls when loaded and enabled as default. + +III. Impact + +FreeBSD 12.0 systems loading cc_cubic and setting non-default sysctl value +net.inet.tcp.cc.algorithm=cubic exhibit stuttering and complete stalls of +network connections. Under certain conditions, this may cause loss of system +availability over the network or service unreachability. + +IV. Workaround + +Disabling cc_cubic and selecting one of the alternate included congestion +control algorithms (e.g., newreno, htcp) will restore normal network +connectivity and alleviate stuttering and stalls. Note that disabling CUBIC +may cause a reduction in expected performance based on specific, unique +network condition characteristics and the module used as a workaround. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +30 "Rebooting for FreeBSD errata update" + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.0] +# fetch https://security.FreeBSD.org/patches/EN-19:01/cc_cubic.patch +# fetch https://security.FreeBSD.org/patches/EN-19:01/cc_cubic.patch.asc +# gpg --verify cc_cubic.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r342181 +releng/12.0/ r342893 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:01.cc_cubic.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlw2Rb5fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJGyRAAnpturBqU4XIZMdvInaVHOXA5P6KemeFuJkwz/aMtIbgefm49lvZVS4q6 +RO8/GytONX1OHaoJQDdincVfRbe9x+ID+ulCJfSLuZMhjLYpxDQJo9d4NWZtvpBn +3wJNEQEXB0AjrYUOrebiT7yd3zA4f+7zSHu0Uvq4k5Tk0Xxsqxsx3/MG5ezEmdxx +IWub1RnYvgmUVJBKn/C5A4v17dE12VnZtLrnfhZ4K3U3mVZYc3cJxF34wSscVqYd +iAsntF786FV+hAXBX7wHa3JIqe+uXE2uemrquNmxgup+zrbVWPWPirgku2TVcvsm +m9aQILNc9RvJ/XkViLV8+ypqCymBFsl3VhO3dzmOnsbL72G9rqjQtgdYWT2dp69p +VyU4EWsTULXIbIBNxyrYhinT+DAqyt8bdrtyT3AhcVJaVk5B5APWnXiwjgS4mPN9 +hf2mCjZw10tJgsqYYrBlTERomgHU/pyliu0Rt2sof5+iGArbe7ZhEorHrM7YhD9n +Hc+3oNzA0dYDStJQpEb4rJ7dEKP/mpppwIosMhPbku6u3ViafCJVq2dIGNQpDope +Mh00Kk7cY0o3Rukw2lGNc9vDbIyUSqT/jV4lBDhp4k5ilQynvkMZETLlynI+KQUH +J2uOOvYzkIZLzZyXtaQfkmrkV6DxzmjxDsqwiMz5DB7o70w/M54= +=e8Wg +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-19:02.tcp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-19:02.tcp.asc Wed Jan 9 19:17:54 2019 (r52756) @@ -0,0 +1,128 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-19:02.tcp Errata Notice + The FreeBSD Project + +Topic: TCP connections may stall and eventually fail in case of + packet loss + +Category: core +Module: kernel +Announced: 2019-01-09 +Credits: Michael Tuexen +Affects: FreeBSD 12.0 +Corrected: 2018-12-23 09:48:36 UTC (stable/12, 12.0-STABLE) + 2019-09-09 18:42:40 UTC (releng/12.0, 12.0-RELEASE-p2) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The TCP stack limits the resources used for TCP connections. Once a limit +is reached, further received TCP segments for the TCP connection are dropped. + +II. Problem Description + +To continue delivering data to the application, accepting the TCP segment +with the next expected sequence number is required. If this TCP segment is +dropped due to a resource limit, no further progress can be made. Therefore +exceptions for this particular TCP segment have to be implemented. + +III. Impact + +In case of lost TCP segments, TCP connections may stall and then eventually +fail. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.0] +# fetch https://security.FreeBSD.org/patches/EN-19:02/tcp.patch +# fetch https://security.FreeBSD.org/patches/EN-19:02/tcp.patch.asc +# gpg --verify tcp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r342378 +releng/12.0/ r342894 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:02.tcp.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlw2Rc1fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJtnxAAgOIJjP9Dg76onxJUPJWiKTAR5VZeZ8od0RJREIeZMUpgFiVUVH82fr8z +ajAzGZbVFhEgFvYwQRU4R/MokNqONoG1O3YPdjcMFyW5HPBoAG+9h67qD3CtLgTN +xnXMR72ed83oY8ts1WSfYVAKF+9X6U5G6FtchBgAhap2k9tI22QKiEmTTmqzUnoy +ddLZatOyKmig8MZKshMmleEpvU+BoYR66d2K9CYxcjHqgNNJOQwQK6yLR3oX41Z9 +n5Akkg/KC7wD02CPFjmO9008ZC4fFiQ8D4eGt9D/lPI4AzLcfkvRdzt5CjMlamXm +Rjf2H5/2f4iYSXiEi2wkChFJHh+MQuYgcfTqRJdNB0qf3DbLwTL5wULfrMVNn7LU +rLHd8CNRTN4+d+//p7nZ/atFbuLjJE08YFqE2ODcMa8eJFaY09/+X+NMIqO6AdTE +hGzqDuiVmI/1MSFjD7dxUotw6Y2iRf+DiLx+JUmb0L+C0FXfl/u8x1ErYbzuLyyL +vD1qb66fDuuSC8aNWO6Qv55bBWAhYhO668CQwfmvEgree72ShbzJPEn3vUN2dIX4 +zg0kTs30QOlizAT2lxQchiPBKkQ+IExPurTT7lW0cZ5PID8y/FSKl49yeQo/nhrD +j/vnF7yMgc6roCyasNlREdi20yTYbp2PItfhaSXWVrtYAFN1jNc= +=3a3w +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-19:03.sqlite.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-19:03.sqlite.asc Wed Jan 9 19:17:54 2019 (r52756) @@ -0,0 +1,145 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-19:03.sqlite Errata Notice + The FreeBSD Project + +Topic: sqlite update + +Category: contrib +Module: sqlite3 +Announced: 2019-01-09 +Credits: Cy Schubert +Affects: All supported versions of FreeBSD. +Corrected: 2018-12-21 01:58:01 UTC (stable/12, 12.0-STABLE) + 2019-01-09 18:47:10 UTC (releng/12.0, 12.0-RELEASE-p2) + 2018-12-21 02:04:15 UTC (stable/11, 11.2-STABLE) + 2019-01-09 18:50:27 UTC (releng/11.2, 11.2-RELEASE-p8) +CVE Name: CVE-2018-20346, CVE-2018-20505, CVE-2018-20506 + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +SQLite is an SQL database engine in a C library. Programs that link the +SQLite library can have SQL database access without running a separate RDBMS +process. The distribution comes with a standalone command-line access +program (sqlite3) that can be used to administer an SQLite database and which +serves as an example of how to use the SQLite library. + +II. Problem Description + +According to https://blade.tencent.com/magellan/index_en.html, the +vulnerabilities known as Magellan are a group vulnerabilities that exist +in sqlite3, documented by CVE-2018-20346, CVE-2018-20505, and CVE-2018-20506. + +When the FTS3 extension is enabled an integer overflow resulting in a buffer +overflow when allowing remote attackers to run arbitrary SQL statements which +can be leveraged to execute arbitrary code. + +III. Impact + +The vulnerabilities were discovered by Tencent Blade Team and verified to be +able to successfully implement remote code execution in Chromium browsers. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2] +# fetch https://security.FreeBSD.org/patches/EN-19:03/sqlite-11.patch +# fetch https://security.FreeBSD.org/patches/EN-19:03/sqlite-11.patch.asc +# gpg --verify sqlite-11.patch.asc + +[FreeBSD 12.0] +# fetch https://security.FreeBSD.org/patches/EN-19:03/sqlite-12.patch +# fetch https://security.FreeBSD.org/patches/EN-19:03/sqlite-12.patch.asc +# gpg --verify sqlite-12.patch.asc + + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r342291 +releng/12.0/ r342895 +stable/11/ r342292 +releng/11.2/ r342896 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://blade.tencent.com/magellan/index_en.html>; + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234113>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:03.sqlite.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlw2RdFfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLtJg/9EM0jQbTBrSgVy5X1AyQ2rcFz9KbjtA0L48wOuOLiAh7eeYxh4Wxuz9k1 +QnEJavMbpVr71yhmt6maEAbRzyGUvemDh4vlu0wjcYSlEzcvk7xaRzfXimippxky +GumFBCvs7UKDIiGRr62ukmxu3FgfEaTM/Cc4bNcuV5k4za+DWIGTu+97i0+B2ieX +/IZ5hQq42w1YIUY5QOy2vj87rnQf2t+uShcBjRg8HsnPsG9BfQfI8vfuWjjtaKMI +iva++F5UJWcsykjZo5J3aaZFxnHsW2hs3buQN+AhoEt7oKdGquOHdweSw8xtSlp9 +3Y+qj+veD7u4Mt95OtnYrJOg8Kynlrzg5uMDbNGbyqktbxfpi2gqBbPEVmx2+nGj +Aj9PDSHMliBZsVKvr1opExfYp4HL0LB9Kqhato08lFxs05TUxiT6LRcel/iXiIfl +vCqfWhKJYVZ+alAW+Kjic6iWw7AtmVLbV64dDu03jxS/14RtRp1Hbk1BRCrnJeLn +sLSdFj6bi2mQx6OXAd9G9jhReoxylyZwRXyhPSsPG1E4mzX6ZRbJfnkriSazW4hq +F+PjTyXidn3uhS6z6CZB08Ltw2NBd3baRl/TQBEiFHd6SSGByqX6gMguK/tQV92U +uM/Q4Ak4H/Q+nEN8/LdXioW0P7ZEC6X/9GXKWv+bUs6LjcZXftA= +=TG5W +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-19:04.tzdata.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-19:04.tzdata.asc Wed Jan 9 19:17:54 2019 (r52756) @@ -0,0 +1,147 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-19:04.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2019-01-09 +Credits: Philip Paeps +Affects: All supported versions of FreeBSD. +Corrected: 2019-01-01 10:04:49 UTC (stable/12, 12.0-STABLE) + 2019-01-09 18:53:35 UTC (releng/12.0, 12.0-RELEASE-p2) + 2019-01-01 10:05:12 UTC (stable/11, 11.2-STABLE) + 2019-01-09 18:54:42 UTC (releng/11.2, 11.2-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The tzsetup(8) program allows the user to specify the default local timezone. +Based on the selected timezone, tzsetup(8) copies one of the files from +/usr/share/zoneinfo to /etc/localtime. This file actually controls the +conversion. + +II. Problem Description + +Several changes in Daylight Savings Time happened after previous FreeBSD +releases were released that would affect many people who live in different +countries. Because of these changes, the data in the zoneinfo files need to +be updated, and if the local timezone on the running system is affected, +tzsetup(8) needs to be run so the /etc/localtime is updated. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected timezones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated timezone database from the +misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected. + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +V. Solution + +Please note that some third party software, for instance PHP, Ruby, Java and +Perl, may be using different zoneinfo data source, in such cases this +software must be updated separately. For software packages that is installed +via binary packages, they can be upgraded by executing `pkg upgrade'. + +Following the instructions in this Errata Notice will update all of the +zoneinfo files to be the same as what was released with FreeBSD release. + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. Restart all the affected +applications and daemons, or reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-19:04/tzdata-2018i.patch +# fetch https://security.FreeBSD.org/patches/EN-19:04/tzdata-2018i.patch.asc +# gpg --verify tzdata-2018i.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r342667 +releng/12.0/ r342897 +stable/11/ r342668 +releng/11.2/ r342898 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:04.tzdata.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlw2RdRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKd+Q//QYBUcMdBnW6URT8bWCrIOTPP84aGpMKmU4ZZYidUfI6CJiiWVaGQHJgD +tmdQjaHemSRfxQ+yAZ5XR8oUIBxrzBhA51cM5QMNnJMXBkpqz9yCbHefH3Fxfr6n +Dg+Vt2cZ745MHPK9uhjtUTmLYRF2iztUqlATr3R1NxBbJ6QQzQuVEyeAvTSY9Jdw +/+cQM72m28iHPP+ff5v9n2MLqoTg74HbchwJthtDvgK9elfQFuC1F07i8I6F4krT +FHnPRISpg4EEOKYG/Jjedk9FQBUpKiOhsDz+siGtjQoivz8TemaH5nTMI7P/WP/7 +jFJ6+jQirc2vCvcUzmiPGrBXRx3OptYcIiLOeKfgc+wCtgEHap4Nrl4Damt1QC13 +T4kpaOi3TcqtDtKxZyxwR8tOtJGEayqXFHA5FL1Fgr63JcvbZTXlBg0BT4oAd7mX +DuvDkap5hXh6jlQ2BM4L9J+I+GNMfrpULsM4drsqd7GVBcLrnu06po3M8jgja44T +rVzNB62FuOX19Q2W8kZ7LOfAwW+ho02GNzwuYWiLCpP4JSTaxtHrd1LexpCzO4Lg +zsttA2bkNjmzHxfcbAPbS5IMX539iJdTgZiDlBNzUi+QqiCG83/fRcVvgD7qH1iM +kF7DipZUURjlV/RbtCZFU/fsKVzR7rF5MSQl9q7llwe5uMto6lQ= +=1NIG +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-19:05.kqueue.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-19:05.kqueue.asc Wed Jan 9 19:17:54 2019 (r52756) @@ -0,0 +1,126 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-19:05.kqueue Errata Notice + The FreeBSD Project + +Topic: kqueue race condition and kernel panic + +Category: core +Module: kqueue +Announced: 2019-01-09 +Credits: Mark Johnston +Affects: FreeBSD 11.2 +Corrected: 2019-11-24 17:11:47 UTC (stable/11, 11.2-STABLE) + 2019-01-09 18:57:38 UTC (releng/11.2, 11.2-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +kevent(2) is a system call which provides a generic method of notifying the +caller when a caller-specified event happens or a condition holds. One use +for kevent(2) is to wait for a specified timeout to elapse. + +II. Problem Description + +The kevent(2) implementation in the kernel contains a race condition which +can be triggered when an event is added and fires shortly after. Most event +types are not affected, but timer events can trigger the race if the timeout +duration is very short. + +III. Impact + +The race condition can cause corruption of a queue structure, leading to +a kernel panic when it is later accessed. Applications using kevent(2) may +trigger the panic if their usage causes the race condition to occur. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +30 "Rebooting for errata update" + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2] +# fetch https://security.FreeBSD.org/patches/EN-19:05/kqueue.patch +# fetch https://security.FreeBSD.org/patches/EN-19:05/kqueue.patch.asc +# gpg --verify kqueue.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r340904 +releng/11.2/ r342899 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:05.kqueue.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlw2RdZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cK0nRAAgPsdkc/TyBTqpvJrvvNaVd0xgNC2lxnYK3HxOPbo5kqj6XHZxb3KvrrN +He6TyGvwGCPHNzlFwHILH+FtFkgrvGVBoPu/U0e/NKRrkhyxPHJMz0bZPu7yqQoG +GDFRIsw5D3JKZW38yMD9Menh3mag81OVZii1LfzkcDLLKfwX/zcx1vV7MSwMzoNs +5L7Fm8lg0uIxrrlKvvmrPxfWoZENhCr9CAAdg8moL3thl64NaVVmPo7tXDXosNGo +EQYT19SY0FBSboUcpVaChgyZaCFzOeCPuXuJPoUYppIWNiv2S8ZTjuq9d1g4R4SD +7GBMozz8EG1rN0pzhx8mVEECZBzdt5rjggiWKjkOVxH/sy5LQjppONK3VVOygoCz +dve2wGq6S1ke/b2NDRpAinmIr8I3x3b7JLNkE5OvNJ6bTLk3ZmpIRYQNYT+eu8Fx +GNe/oTU9DRbB4yv0kcKsypHqQ0cKdn6+duYzKGZ4+c86B7IHJgsYoG/NTKYfFzQx +BHWuI/P/9pakHESNiDidKRz+z5w679+jIfZDcbBIXaw+PCqzg5a1GFN8Bub2mGLw +2wmVQJV1nbdE+6UbWvaV2seV/bo+N/L8k4QS6OPIDUefLPGgCdRFr/MlLoiTaJ43 +p+L3iVlVbiOTCfsCGI/QVQq+IOngKzqSUXN3Ys7PXvvAzSyaTFg= +=fD2U +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-19:01/cc_cubic.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:01/cc_cubic.patch Wed Jan 9 19:17:54 2019 (r52756) @@ -0,0 +1,194 @@ +--- sys/netinet/cc/cc.h.orig ++++ sys/netinet/cc/cc.h +@@ -102,8 +102,6 @@ + #define CCF_ACKNOW 0x0008 /* Will this ack be sent now? */ + #define CCF_IPHDR_CE 0x0010 /* Does this packet set CE bit? */ + #define CCF_TCPHDR_CWR 0x0020 /* Does this packet set CWR bit? */ +-#define CCF_MAX_CWND 0x0040 /* Have we reached maximum cwnd? */ +-#define CCF_CHG_MAX_CWND 0x0080 /* Cubic max_cwnd changed, for K */ + + /* ACK types passed to the ack_received() hook. */ + #define CC_ACK 0x0001 /* Regular in sequence ACK. */ +--- sys/netinet/cc/cc_cubic.c.orig ++++ sys/netinet/cc/cc_cubic.c +@@ -88,8 +88,6 @@ + unsigned long max_cwnd; + /* cwnd at the previous congestion event. */ + unsigned long prev_max_cwnd; +- /* Cached value for t_maxseg when K was computed */ +- uint32_t k_maxseg; + /* Number of congestion events. */ + uint32_t num_cong_events; + /* Minimum observed rtt in ticks. */ +@@ -126,9 +124,6 @@ + cubic_data = ccv->cc_data; + cubic_record_rtt(ccv); + +- if (ccv->flags & CCF_MAX_CWND) +- return; +- + /* + * Regular ACK and we're not in cong/fast recovery and we're cwnd + * limited and we're either not doing ABC or are slow starting or are +@@ -156,12 +151,6 @@ + cubic_data->mean_rtt_ticks, cubic_data->max_cwnd, + CCV(ccv, t_maxseg)); + +- if (ccv->flags & CCF_CHG_MAX_CWND || cubic_data->k_maxseg != CCV(ccv, t_maxseg)) { +- cubic_data->K = cubic_k(cubic_data->max_cwnd / CCV(ccv, t_maxseg)); +- cubic_data->k_maxseg = CCV(ccv, t_maxseg); +- ccv->flags &= ~(CCF_MAX_CWND|CCF_CHG_MAX_CWND); +- } +- + w_cubic_next = cubic_cwnd(ticks_since_cong + + cubic_data->mean_rtt_ticks, cubic_data->max_cwnd, + CCV(ccv, t_maxseg), cubic_data->K); +@@ -173,18 +162,13 @@ + * TCP-friendly region, follow tf + * cwnd growth. + */ +- CCV(ccv, snd_cwnd) = ulmin(w_tf, TCP_MAXWIN << CCV(ccv, snd_scale)); ++ CCV(ccv, snd_cwnd) = w_tf; + + else if (CCV(ccv, snd_cwnd) < w_cubic_next) { + /* + * Concave or convex region, follow CUBIC + * cwnd growth. + */ +- if (w_cubic_next >= TCP_MAXWIN << CCV(ccv, snd_scale)) { +- w_cubic_next = TCP_MAXWIN << CCV(ccv, snd_scale); +- ccv->flags |= CCF_MAX_CWND; +- } +- w_cubic_next = ulmin(w_cubic_next, TCP_MAXWIN << CCV(ccv, snd_scale)); + if (V_tcp_do_rfc3465) + CCV(ccv, snd_cwnd) = w_cubic_next; + else +@@ -202,10 +186,8 @@ + * max_cwnd. + */ + if (cubic_data->num_cong_events == 0 && +- cubic_data->max_cwnd < CCV(ccv, snd_cwnd)) { ++ cubic_data->max_cwnd < CCV(ccv, snd_cwnd)) + cubic_data->max_cwnd = CCV(ccv, snd_cwnd); +- ccv->flags |= CCF_CHG_MAX_CWND; +- } + } + } + } +@@ -254,7 +236,6 @@ + cubic_data->num_cong_events++; + cubic_data->prev_max_cwnd = cubic_data->max_cwnd; + cubic_data->max_cwnd = CCV(ccv, snd_cwnd); +- ccv->flags |= CCF_CHG_MAX_CWND; + } + ENTER_RECOVERY(CCV(ccv, t_flags)); + } +@@ -267,8 +248,6 @@ + cubic_data->prev_max_cwnd = cubic_data->max_cwnd; + cubic_data->max_cwnd = CCV(ccv, snd_cwnd); + cubic_data->t_last_cong = ticks; +- ccv->flags |= CCF_CHG_MAX_CWND; +- ccv->flags &= ~CCF_MAX_CWND; + CCV(ccv, snd_cwnd) = CCV(ccv, snd_ssthresh); + ENTER_CONGRECOVERY(CCV(ccv, t_flags)); + } +@@ -285,7 +264,6 @@ + if (CCV(ccv, t_rxtshift) >= 2) { + cubic_data->num_cong_events++; + cubic_data->t_last_cong = ticks; +- ccv->flags &= ~CCF_MAX_CWND; + } + break; + } +@@ -304,7 +282,6 @@ + * get used. + */ + cubic_data->max_cwnd = CCV(ccv, snd_cwnd); +- ccv->flags |= CCF_CHG_MAX_CWND; + } + + static int +@@ -329,11 +306,9 @@ + pipe = 0; + + /* Fast convergence heuristic. */ +- if (cubic_data->max_cwnd < cubic_data->prev_max_cwnd) { ++ if (cubic_data->max_cwnd < cubic_data->prev_max_cwnd) + cubic_data->max_cwnd = (cubic_data->max_cwnd * CUBIC_FC_FACTOR) + >> CUBIC_SHIFT; +- ccv->flags |= CCF_CHG_MAX_CWND; +- } + + if (IN_FASTRECOVERY(CCV(ccv, t_flags))) { + /* +@@ -356,7 +331,6 @@ + cubic_data->max_cwnd) >> CUBIC_SHIFT)); + } + cubic_data->t_last_cong = ticks; +- ccv->flags &= ~CCF_MAX_CWND; + + /* Calculate the average RTT between congestion epochs. */ + if (cubic_data->epoch_ack_count > 0 && +@@ -367,6 +341,7 @@ + + cubic_data->epoch_ack_count = 0; + cubic_data->sum_rtt_ticks = 0; ++ cubic_data->K = cubic_k(cubic_data->max_cwnd / CCV(ccv, t_maxseg)); + } + + /* +--- sys/netinet/cc/cc_cubic.h.orig ++++ sys/netinet/cc/cc_cubic.h +@@ -41,8 +41,6 @@ + #ifndef _NETINET_CC_CUBIC_H_ + #define _NETINET_CC_CUBIC_H_ + +-#include <sys/limits.h> +- + /* Number of bits of precision for fixed point math calcs. */ + #define CUBIC_SHIFT 8 + +@@ -163,6 +161,8 @@ + /* + * Compute the new cwnd value using an implementation of eqn 1 from the I-D. + * Thanks to Kip Macy for help debugging this function. ++ * ++ * XXXLAS: Characterise bounds for overflow. + */ + static __inline unsigned long + cubic_cwnd(int ticks_since_cong, unsigned long wmax, uint32_t smss, int64_t K) +@@ -174,15 +174,6 @@ + /* t - K, with CUBIC_SHIFT worth of precision. */ + cwnd = ((int64_t)(ticks_since_cong << CUBIC_SHIFT) - (K * hz)) / hz; + +- /* moved this calculation up because it cannot overflow or underflow */ +- cwnd *= CUBIC_C_FACTOR * smss; +- +- if (cwnd > 2097151) /* 2^21 cubed is long max */ +- return INT_MAX; +- +- if (cwnd < -2097152) /* -2^21 cubed is long min */ +- return smss; +- + /* (t - K)^3, with CUBIC_SHIFT^3 worth of precision. */ + cwnd *= (cwnd * cwnd); + +@@ -191,17 +182,8 @@ + * The down shift by CUBIC_SHIFT_4 is because cwnd has 4 lots of + * CUBIC_SHIFT included in the value. 3 from the cubing of cwnd above, + * and an extra from multiplying through by CUBIC_C_FACTOR. +- * +- * The original formula was this: +- * cwnd = ((cwnd * CUBIC_C_FACTOR * smss) >> CUBIC_SHIFT_4) + wmax; +- * +- * CUBIC_C_FACTOR and smss factors were moved up to an earlier +- * calculation to simplify overflow and underflow detection. + */ +- cwnd = (cwnd >> CUBIC_SHIFT_4) + wmax; +- +- if (cwnd < 0) +- return 1; ++ cwnd = ((cwnd * CUBIC_C_FACTOR * smss) >> CUBIC_SHIFT_4) + wmax; + + return ((unsigned long)cwnd); + } Added: head/share/security/patches/EN-19:01/cc_cubic.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:01/cc_cubic.patch.asc Wed Jan 9 19:17:54 2019 (r52756) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlw2RhZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cK6Bw/+NJXfzNxz2c9hS4RgZSeDZxtqPEC6ZG5aKN2vc7RzwYsGgv5f4VzuU40A +MsRNRmbDjoQYj9zkBKOYUWaIX6ZffOjUwc7DZ1Us4ykXRxlB2Ys4R98z5lY6mQDA +hcTnCPvKTMChcXO3hQ77W3bUPk+p5+XvcDhks8K8N5/Xixj1xoy5J8dmbGvQ9i/R +JZa2loacsPab/c2Fr/6L7DyHU3bbXIh+27HknCUOyK0dekbZ8g0oP+u/qb4VX/7s +BkSbIkLUNq3dBkb0vOAoTry/M2kKpU8Dz/SITuW4bSJqfvNWN2hiT7YTQaNg+E0J +VaaKHhpGO5TrYDnYRfmJyrAiobROEbpoGXg9TvfZ9VLk0sGOPcBN598DNJLkiZCa +dzMrimOOcgeeyPhvG0Mq4ZGBkYgqj88jb29bwJbkCLvjTfaL3kPeKxky1bylgEmR +Vevzqlp9IhrnSW21u0Kd8ZWuXka8ni+uKe2B24FyOZntziODWOi/rFAE7DV21y1V +gZsX2v9kwr/M2ApFpAhtEnF3JHX0sl5J8mF9Wnv0CdJP3fTpC9M0byZsCc2qy84g +5f6KPu57CgvuHG/YRKLDxG7tt1jXYi/LFsR7iGbbCCbthx5pImQrYfKMOdSR81s+ +Iwa8j657nxF+YjM+aq8l7E3g1uonJ2aWT95WFssUnv2ww+O14fw= +=4RIV +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-19:02/tcp.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:02/tcp.patch Wed Jan 9 19:17:54 2019 (r52756) @@ -0,0 +1,56 @@ +--- sys/netinet/tcp_reass.c.orig ++++ sys/netinet/tcp_reass.c +@@ -579,7 +579,8 @@ + */ + lenofoh = tcp_reass_overhead_of_chain(m, &mlast); + sb = &tp->t_inpcb->inp_socket->so_rcv; +- if ((sb->sb_mbcnt + tp->t_segqmbuflen + lenofoh) > sb->sb_mbmax) { ++ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && ++ (sb->sb_mbcnt + tp->t_segqmbuflen + lenofoh) > sb->sb_mbmax) { + /* No room */ + TCPSTAT_INC(tcps_rcvreassfull); + #ifdef TCP_REASS_COUNTERS +@@ -588,6 +589,11 @@ + #ifdef TCP_REASS_LOGGING + tcp_log_reassm(tp, NULL, NULL, th->th_seq, lenofoh, TCP_R_LOG_LIMIT_REACHED, 0); + #endif ++ if ((s = tcp_log_addrs(&tp->t_inpcb->inp_inc, th, NULL, NULL))) { ++ log(LOG_DEBUG, "%s; %s: mbuf count limit reached, " ++ "segment dropped\n", s, __func__); ++ free(s, M_TCPLOG); ++ } + m_freem(m); + *tlenp = 0; + #ifdef TCP_REASS_LOGGING +@@ -936,6 +942,20 @@ + * is understood. + */ + new_entry: ++ if (th->th_seq == tp->rcv_nxt && TCPS_HAVEESTABLISHED(tp->t_state)) { ++ tp->rcv_nxt += *tlenp; ++ flags = th->th_flags & TH_FIN; ++ TCPSTAT_INC(tcps_rcvoopack); ++ TCPSTAT_ADD(tcps_rcvoobyte, *tlenp); ++ SOCKBUF_LOCK(&so->so_rcv); ++ if (so->so_rcv.sb_state & SBS_CANTRCVMORE) { ++ m_freem(m); ++ } else { ++ sbappendstream_locked(&so->so_rcv, m, 0); ++ } ++ sorwakeup_locked(so); ++ return (flags); ++ } + if (tcp_new_limits) { + if ((tp->t_segqlen > tcp_reass_queue_guard) && + (*tlenp < MSIZE)) { +@@ -960,9 +980,7 @@ + return (0); + } + } else { +- +- if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && +- tp->t_segqlen >= min((so->so_rcv.sb_hiwat / tp->t_maxseg) + 1, ++ if (tp->t_segqlen >= min((so->so_rcv.sb_hiwat / tp->t_maxseg) + 1, + tcp_reass_maxqueuelen)) { + TCPSTAT_INC(tcps_rcvreassfull); + *tlenp = 0; Added: head/share/security/patches/EN-19:02/tcp.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:02/tcp.patch.asc Wed Jan 9 19:17:54 2019 (r52756) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlw2RhxfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIsjBAAiM9K9Y/ci+sVsH0HrunEbdJT5dI4oabI6Z7zV7X2F5OZobC0neXYCpqH +sknU/phwdWTmSdLlqxI37At2rQPRFnnAF0sfyByJEmnrNq3CPg/cFabvuNWfetPh +wpHQc7XUJAz58Lk5o382Dn4POZP+aBmo1e6ULHIXCcgR8xHvGAtQoCLJFh9VXKZx +tSP+PiwCfHXjIF1J+bEPhv6IO3H59COb5daj1qhTbUnkCmacPBDCFzrSqqbUPOru +MAvXxcUP3mhPDrIx5eDUNo5C1t54PF6fPzBj8Pq+SUKXrHI1PYHxw2yL+y0vn7vT +TImWde+rRdDwzab2mt/IP2WaRnC5wVNS+QHZc9M+QB+ujAx8e278uK/eiJwKkm59 +MShtZ46YB96aoZuLYibk+i53jW7OOJbCH9xwFXvZb2n3ObBfJcqig4aXtvug7BOr +v/90s6Q72jKpJUopgzFut6E2XtJ6ImAvq8qDxo0qLix5vASu57tst/5vyfj4dt79 +AJ05x20KKKKhaNzpnwyOWW4/egeElJPLHg8WsWzwtsRW1ZMWBRIqAzS+dLlDNod9 +ywSbOYb0FMmYe0rtv1gbm5wWjAQ8QYEe/8JoD7y5O04mUVmxmubeYYQ2vAxtxDPs +ODiJtLdALWkPidb8ynn4r5LBYDjQRvni1+3j2E+nCh9Z08nHzzs= +=KVpY +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-19:03/sqlite-11.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:03/sqlite-11.patch Wed Jan 9 19:17:54 2019 (r52756) @@ -0,0 +1,76146 @@ +--- contrib/sqlite3/Makefile.am.orig ++++ contrib/sqlite3/Makefile.am +@@ -1,6 +1,5 @@ + +-AM_CFLAGS = @THREADSAFE_FLAGS@ @DYNAMIC_EXTENSION_FLAGS@ @FTS5_FLAGS@ @JSON1_FLAGS@ @SESSION_FLAGS@ -DSQLITE_ENABLE_FTS3 -DSQLITE_ENABLE_RTREE *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201901091917.x09JHtSB026034>