Date: Tue, 21 Oct 2014 20:48:09 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r45857 - in head/share: security/advisories security/patches/SA-14:20 security/patches/SA-14:21 security/patches/SA-14:22 security/patches/SA-14:23 xml Message-ID: <201410212048.s9LKm9VO084176@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Tue Oct 21 20:48:08 2014 New Revision: 45857 URL: https://svnweb.freebsd.org/changeset/doc/45857 Log: Add SA-14:20 - SA-14:23. Added: head/share/security/advisories/FreeBSD-SA-14:20.rtsold.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:21.routed.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:22.namei.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:23.openssl.asc (contents, props changed) head/share/security/patches/SA-14:20/ head/share/security/patches/SA-14:20/rtsold.patch (contents, props changed) head/share/security/patches/SA-14:20/rtsold.patch.asc (contents, props changed) head/share/security/patches/SA-14:21/ head/share/security/patches/SA-14:21/routed.patch (contents, props changed) head/share/security/patches/SA-14:21/routed.patch.asc (contents, props changed) head/share/security/patches/SA-14:22/ head/share/security/patches/SA-14:22/namei-10.patch (contents, props changed) head/share/security/patches/SA-14:22/namei-10.patch.asc (contents, props changed) head/share/security/patches/SA-14:22/namei-9.patch (contents, props changed) head/share/security/patches/SA-14:22/namei-9.patch.asc (contents, props changed) head/share/security/patches/SA-14:23/ head/share/security/patches/SA-14:23/openssl-10.0.patch (contents, props changed) head/share/security/patches/SA-14:23/openssl-10.0.patch.asc (contents, props changed) head/share/security/patches/SA-14:23/openssl-8.4.patch (contents, props changed) head/share/security/patches/SA-14:23/openssl-8.4.patch.asc (contents, props changed) head/share/security/patches/SA-14:23/openssl-9.3.patch (contents, props changed) head/share/security/patches/SA-14:23/openssl-9.3.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-14:20.rtsold.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:20.rtsold.asc Tue Oct 21 20:48:08 2014 (r45857) @@ -0,0 +1,169 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-14:20.rtsold Security Advisory + The FreeBSD Project + +Topic: rtsold(8) remote buffer overflow vulnerability + +Category: core +Module: rtsold +Announced: 2014-10-21 +Credits: Florian Obser, Hiroki Sato +Affects: FreeBSD 9.1 and later. +Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE) + 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1) + 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1) + 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1) + 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) + 2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE) + 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) + 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) + 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) +CVE Name: CVE-2014-3954 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +As part of the stateless addess autoconfiguration (SLAAC) mechanism, +IPv6 routers periodically broadcast router advertisement messages on +attached networks to inform hosts of the correct network prefix, +router address and MTU, as well as additional network parameters such +as the DNS servers (RDNSS), DNS search list (DNSSL) and whether a +stateful configuration service is available. Hosts that have recently +joined the network can broadcast a router solicitation message to +solicit an immediate advertisement instead of waiting for the next +periodic advertisement. + +The router solicitation daemon, rtsold(8), broadcasts router +solicitation messages at startup or when the state of an interface +changes from passive to active. Incoming router advertisement +messages are first processed by the kernel and then passed on to +rtsold(8), which handles the DNS and stateful configuration options. + +II. Problem Description + +Due to a missing length check in the code that handles DNS parameters, +a malformed router advertisement message can result in a stack buffer +overflow in rtsold(8). + +III. Impact + +Receipt of a router advertisement message with a malformed DNSSL +option, for instance from a compromised host on the same network, can +cause rtsold(8) to crash. + +While it is theoretically possible to inject code into rtsold(8) +through malformed router advertisement messages, it is normally +compiled with stack protection enabled, rendering such an attack +extremely difficult. + +When rtsold(8) crashes, the existing DNS configuration will remain in +force, and the kernel will continue to receive and process periodic +router advertisements. + +IV. Workaround + +No workaround is available, but systems that do not run rtsold(8) are +not affected. + +As a general rule, SLAAC should not be used on networks where trusted +and untrusted hosts coexist in the same broadcast domain. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:20/rtsold.patch +# fetch http://security.FreeBSD.org/patches/SA-14:20/rtsold.patch.asc +# gpg --verify rtsold.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/rtsold.patch + +c) Recompile rtsold. Execute the following commands as root: + +# cd /usr/src/usr.sbin/rtsold +# make && make install + +4) Restart the affected service + +To restart the affected service after updating the system, either +reboot the system or execute the following command as root: + +# service rtsold restart + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r273412 +releng/9.1/ r273415 +releng/9.2/ r273415 +releng/9.3/ r273415 +stable/10/ r273411 +releng/10.0/ r273415 +releng/10.1/ r273414 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3954> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:20.rtsold.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAEBAgAGBQJURsSoAAoJEO1n7NZdz2rn5GsP/2y0fUJYVdsZjA4VtUcLFp4Q +nhjGO3I4NOXZAj3c+bWwbw/Bmg7juFVXiAdLgcpK8UuTT+0znAkEcGoG+uA9q6K1 +PoFjTmXoukIqtu4sd5Gxp74+xVqY41XOuwanHNMiCbvGEbInxoCs3t56C7Ai1/9m +DXhDCukNEH9JZv5qUS5L7IcosuQs2l1viU9oUA/hSfVeI9IFKp8SItDthwtLVrXe +bgr50oQdCtwR3gx3Dwkg//er3JCsSJ0ixJO0bGGaqnGLPq7gwmJf8zKy10EE2fri +AMpUcYMsO+MqhE+PyyuW9MJaPpX+zghZac75UYPh0EckIn8m2p6QGYXcDtZ18qR8 +uq4JCk5nDARKuy7kraEuNJgFzNIBN/wVwOSqaF4n43vhmsuiKF9uzePrtEhB7xoN +7vT66EXXkCgiqQrQVJ6IH5LzoUJtYVDZTWLWU66r919qbQzYQFU7uslaGF8rgVIg +HZOfEbDto3dvULmbVHkaWiyotKYSKXZROBTKvTOWVs+BX37zQgg4PGuU6CqatB8R +Sltg2kxycQXoIm5XiiSL18RTgxEWb+DKfw8e/691EM1/F3XIQVNX11wJpeZwL/sf +zE9TtTnmqpIBPGIe7aURgJWwX/iA4ljAqB1t5DmgIQrJMXovMXnAVMIu4L2jy+gY +eRy82+SI3pc3thChv2hv +=L56U +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:21.routed.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:21.routed.asc Tue Oct 21 20:48:08 2014 (r45857) @@ -0,0 +1,163 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-14:21.routed Security Advisory + The FreeBSD Project + +Topic: routed(8) remote denial of service vulnerability + +Category: core +Module: routed +Announced: 2014-10-21 +Credits: Hiroki Sato +Affects: All supported versions of FreeBSD. +Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE) + 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1) + 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1) + 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1) + 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) + 2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE) + 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) + 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) + 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) + 2014-10-21 20:20:26 UTC (stable/8, 8.4-STABLE) + 2014-10-21 20:21:27 UTC (releng/8.4, 8.4-RELEASE-p17) +CVE Name: CVE-2014-3955 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The routing information protocol (RIP) is an older routing protocol +which, while not as capable as more recent protocols such as OSPF and +BGP, is sometimes preferred for its simplicity and therefore still +used as an interior gateway protocol on smaller networks. + +Routers in a RIP network periodically broadcast their routing table on +all enabled interfaces. Neighboring routers and hosts receive these +broadcasts and update their routing tables accordingly. + +The routed(8) daemon is a RIP implementation for FreeBSD. The +rtquery(8) utility can be used to send a RIP query to a router and +display the result without updating the routing table. + +II. Problem Description + +The input path in routed(8) will accept queries from any source and +attempt to answer them. However, the output path assumes that the +destination address for the response is on a directly connected +network. + +III. Impact + +Upon receipt of a query from a source which is not on a directly +connected network, routed(8) will trigger an assertion and terminate. +The affected system's routing table will no longer be updated. If the +affected system is a router, its routes will eventually expire from +other routers' routing tables, and its networks will no longer be +reachable unless they are also connected to another router. + +IV. Workaround + +Use a packet filter such as pf(4) or ipfw(4) to block incoming UDP +packets with destination port 520 that did not originate on the same +subnet as the destination address. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:21/routed.patch +# fetch http://security.FreeBSD.org/patches/SA-14:21/routed.patch.asc +# gpg --verify routed.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/routed.patch + +c) Recompile routed. Execute the following commands as root: + +# cd /usr/src/sbin/routed +# make && make install + +4) Restart the affected service + +To restart the affected service after updating the system, either +reboot the system or execute the following command as root: + +# service routed restart + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r273413 +releng/8.4/ r273416 +stable/9/ r273412 +releng/9.1/ r273415 +releng/9.2/ r273415 +releng/9.3/ r273415 +stable/10/ r272872 +releng/10.0/ r273415 +releng/10.1/ r273414 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3955> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:21.routed.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAEBAgAGBQJURsSrAAoJEO1n7NZdz2rneOIQAIXaYGwNAYmVFUqa/YOtxSlQ +l1ETThsuHxuDUrlkHD82uZu6yJi+HdGz1R2xBLYlxpwk/4GO3D/IdUZI0w1LgNJs +JRHmAikUpCgcMh0QfyoHD9KSp3wPiQJ9Cmp6ajrjsdIdjrNbFwczoaWHHQ1MyRwp +kv9OEC7t9rJkZRMuCjrSvGTQVqHFixoZUdJV42a2PNYTyWZmwE33GJ+Zgv/59mPw +bzGTTI3RTuj1WUJp4MmYV3Eb8y8SnM6szUs4Wlul/uVGfEI3dXYYo3iAHQNHWpAR +sUaqoVI16P5x952I9PbMA/J5wq/Nm2bVwEAsJN9NE/KPMdD1I4QzvyAlNRFCro8S +C7qS4a0X75nQ+pehRqPVDdnvJbkxfdgsWP+jwVZ4e0244DQfiKWTKTd+If/cPHa8 +T0z1uZ4xE/BQ0DpJiu9r/ndcm5ych6TbIkNXmGI05jQPntvSYQzhyUTEp2Rmq3IX +rmre4CHWrTYT7/niTJonieErmtGDe5LrUyP2Odv13euKEsCIbSOPVnDFFhAwsAjJ +zu2Tm+BPXh0lXHuq/tQ+L5lWv1uoMi9hkLxh6zhFaX4li15sS5tR+GeBXmd9h2Wp ++iT5hvgxfnQPZI3Ey932J20+7LMULlkr2aV2h5NcvroolnQIehj12z0IQBelFsXN +wtFPveXqXWUfV8WVNBJ1 +=uHh+ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:22.namei.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:22.namei.asc Tue Oct 21 20:48:08 2014 (r45857) @@ -0,0 +1,153 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-14:22.namei Security Advisory + The FreeBSD Project + +Topic: memory leak in sandboxed namei lookup + +Category: core +Module: kernel +Announced: 2014-10-21 +Credits: Mateusz Guzik +Affects: FreeBSD 9.1 and later. +Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE) + 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1) + 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1) + 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1) + 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) + 2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE) + 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) + 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) + 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) +CVE Name: CVE-2014-3711 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The namei kernel facility is responsible for performing and caching +translations from path names to file system objects (vnodes). + +Capsicum is a lightweight capability and sandbox framework using a +hybrid capability system model. It is often used to create sandboxes +for applications that process data from untrusted sources. + +II. Problem Description + +The namei facility will leak a small amount of kernel memory every +time a sandboxed process looks up a nonexistent path name. + +III. Impact + +A remote attacker that can cause a sandboxed process (for instance, a +web server) to look up a large number of nonexistent path names can +cause memory exhaustion. + +IV. Workaround + +Systems that do not have Capsicum enabled or do not run services that +use Capsicum are not vulnerable. + +On systems that have Capsicum compiled into the kernel, it can be +disabled by executing the following command as root: + +# sysctl kern.features.security_capabilities=0 + +Services that use Capsicum are usually able to run without it, albeit +with reduced security. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.x] +# fetch http://security.FreeBSD.org/patches/SA-14:22/namei-9.patch +# fetch http://security.FreeBSD.org/patches/SA-14:22/namei-9.patch.asc +# gpg --verify namei-9.patch.asc + +[FreeBSD 10.x] +# fetch http://security.FreeBSD.org/patches/SA-14:22/namei-10.patch +# fetch http://security.FreeBSD.org/patches/SA-14:22/namei-10.patch.asc +# gpg --verify namei-10.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r273412 +releng/9.1/ r273415 +releng/9.2/ r273415 +releng/9.3/ r273415 +stable/10/ r273411 +releng/10.0/ r273415 +releng/10.1/ r273414 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3711> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:22.namei.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAEBAgAGBQJURsStAAoJEO1n7NZdz2rnoMoQAIuqKpDLi+sGXnWUQeYGPEZH +OqwkK9ZbvEiNDAeol03FvxfTg8LzI4OtzkceFDy7KWUTNUN3HnGq1MhFLo+s5r7x +KtJVIzKgitZVh/1ikr6+DObpuwVHQfdKws6NKqCssqOknDIcNhNG97B1wl/QwnDX +3/BmAWFYaf6+AG0+vQhxUBTuP9keu8DlpBJ4eEbhRqVCSuo6enJ4uTQXOet7lEOR +loGqhuMJB265qi2e/vkcnXnOrd6eGQ9vkVJTS0jKmKF3VG8HTcUmUvwLAGeqmTuV +LIJVpSaFgDX7BuG0tUhwmtmql4+ROU6tyHVWBAmVcSNTRgy9L/It/BdG0slNdVVq +2OG0ApKCQIukfK6xtz7adgxRYvClzVZZmyjEPzu0MGs/imdEpfgsUap9yrPhHyoe +KM98VaKtzz2e09KxoAxAezgioDCv5rLZnaX8IqBlFft3BvfPP7TPbKrPvvmETu4P +/4nthuEFE4jl9xyVINaHdKW9gVAOP44OAj+HlxvNxn4llkrA2v4Zbc3mjukK0ZEx +OKz++lf7SmfTPI1lD+oN6FJRWEkK0YnVytsw8taHYlqDYdxaL+OB60B+Ko2JoqpL +AROBT2tp9j/NsG46CgDFqA7oV5JWe/Kk67VrkOs8BL6nplKVD9M5m4XDyakn9wkk +PA3J/dN5bSd7VIxYExZD +=MO7y +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:23.openssl.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:23.openssl.asc Tue Oct 21 20:48:08 2014 (r45857) @@ -0,0 +1,193 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-14:23.openssl Security Advisory + The FreeBSD Project + +Topic: OpenSSL multiple vulnerabilities + +Category: contrib +Module: openssl +Announced: 2014-10-21 +Affects: All supported versions of FreeBSD. +Corrected: 2014-10-15 19:59:43 UTC (stable/10, 10.1-PRERELEASE) + 2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC3) + 2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC2-p1) + 2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC1-p1) + 2014-10-21 19:00:32 UTC (releng/10.1, 10.1-BETA3-p1) + 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) + 2014-10-15 20:28:31 UTC (stable/9, 9.3-STABLE) + 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) + 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) + 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) + 2014-10-15 20:28:31 UTC (stable/8, 8.4-STABLE) + 2014-10-21 20:21:27 UTC (releng/8.4, 8.4-RELEASE-p17) +CVE Name: CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) +and Transport Layer Security (TLS v1) protocols as well as a full-strength +general purpose cryptography library. + +II. Problem Description + +A flaw in the DTLS SRTP extension parsing code allows an attacker, who +sends a carefully crafted handshake message, to cause OpenSSL to fail +to free up to 64k of memory causing a memory leak. [CVE-2014-3513]. + +When an OpenSSL SSL/TLS/DTLS server receives a session ticket the +integrity of that ticket is first verified. In the event of a session +ticket integrity check failing, OpenSSL will fail to free memory +causing a memory leak. [CVE-2014-3567]. + +The SSL protocol 3.0, as supported in OpenSSL and other products, supports +CBC mode encryption where it could not adequately check the integrity of +padding, because of the use of non-deterministic CBC padding. This +protocol weakness makes it possible for an attacker to obtain clear text +data through a padding-oracle attack. + +Some client applications (such as browsers) will reconnect using a +downgraded protocol to work around interoperability bugs in older +servers. This could be exploited by an active man-in-the-middle to +downgrade connections to SSL 3.0 even if both sides of the connection +support higher protocols. SSL 3.0 contains a number of weaknesses +including POODLE [CVE-2014-3566]. + +OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications +to block the ability for a MITM attacker to force a protocol downgrade. + +When OpenSSL is configured with "no-ssl3" as a build option, servers +could accept and complete a SSL 3.0 handshake, and clients could be +configured to send them. [CVE-2014-3568]. + +III. Impact + +A remote attacker can cause Denial of Service with OpenSSL 1.0.1 +server implementations for both SSL/TLS and DTLS regardless of +whether SRTP is used or configured. [CVE-2014-3513] + +By sending a large number of invalid session tickets an attacker +could exploit this issue in a Denial Of Service attack. +[CVE-2014-3567]. + +An active man-in-the-middle attacker can force a protocol downgrade +to SSLv3 and exploit the weakness of SSLv3 to obtain clear text data +from the connection. [CVE-2014-3566] [CVE-2014-3568] + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.0] +# fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-10.0.patch +# fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-10.0.patch.asc +# gpg --verify openssl-10.0.patch.asc + +[FreeBSD 9.3] +# fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-9.3.patch +# fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-9.3.patch.asc +# gpg --verify openssl-9.3.patch.asc + +[FreeBSD 8.4, 9.1 and 9.2] +# fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-8.4.patch +# fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-8.4.patch.asc +# gpg --verify openssl-8.4.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all deamons using the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r273151 +releng/8.4/ r273416 +stable/9/ r273151 +releng/9.1/ r273415 +releng/9.2/ r273415 +releng/9.3/ r273415 +stable/10/ r273149 +releng/10.0/ r273415 +releng/10.1/ r273399 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:23.openssl.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAEBAgAGBQJURsSwAAoJEO1n7NZdz2rn3ekQANG9DnAGJq/yAXXtX4wdeP08 +Ep35L3dkxJsthoqJhn7fc/pra5SZ5iS7NCRHdh5Xn1dsxRiOsffYt9zanWyTOgj+ +RQy9jiNp0oIWQEkxZVoHMIKn6VeQk1I2llSXyERANjeDtKX6GV2gV+Zd4tcExW4T +Nn9jVHgkDL/doxJ3C1K0BrkdoEEwyPohAf8WLAg6ZKRm3Pys1Ewjm6fPBPtKUIEu +zWFruP5xFz3rM6i/4zcihj7b4BuIKtUBgHf28rgf0I3TKZTr75Xr9h4q/8ZG4H0G +Lk/1OoZTiMyjlBLufpTlCOdODjz7ORzDLif47Zyt52iZowq1hl4WO7Xo/C/kPUmG +o631wsLmO9tPS2Z0TmIQm1fwjlTvIZefZAlMpa1lDwnwZx2hRsu9TzauACdSbuWx +9i+e8/CSMEsr0qJo8KXjltpV9siULhkvl9xr3PwxMfvHFjGUAuur2zHUoTQZTpy0 +nKJJXSs3kIW/4ivLMDuDYijdVnf4hrih6GTKEND6aNXtyXitiFK8J4a/q0T4BBnh +89A2QUFVeeDPmf7jzMh824s8W2uoPFGJqHgdtqv1bLT29rqh5ya/5zi7sci6Q/Mk +ov0U8X3Pwun7iwJDeYG6N38lUSdMqImHR12Ay7pOY04i4qau4Yf8B26lwcMk/HrU +cZ84y1sCp0qHtTqKuak9 +=ywze +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:20/rtsold.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:20/rtsold.patch Tue Oct 21 20:48:08 2014 (r45857) @@ -0,0 +1,14 @@ +Index: usr.sbin/rtsold/rtsol.c +=================================================================== +--- usr.sbin/rtsold/rtsol.c.orig ++++ usr.sbin/rtsold/rtsol.c +@@ -933,7 +933,8 @@ + dst_origin = dst; + memset(dst, '\0', dlen); + while (src && (len = (uint8_t)(*src++) & 0x3f) && +- (src + len) <= src_last) { ++ (src + len) <= src_last && ++ (dst - dst_origin < (ssize_t)dlen)) { + if (dst != dst_origin) + *dst++ = '.'; + warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len); Added: head/share/security/patches/SA-14:20/rtsold.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:20/rtsold.patch.asc Tue Oct 21 20:48:08 2014 (r45857) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJURsQSAAoJEO1n7NZdz2rnmGoQAJz5xZjKbFt1RrArI+K7pF2E +qJ9V1trv6ltofAYF74m9BIrYJBodB7s+lwd+qIIfawd5wAK7eKvYtow8izloszP7 ++f2Yl3AfXwqsJbStYfi+2OGqqYS/ruGOHRnCicILdHi2I2kH4L1/tUMiQbSe+oIj +Ro6sT236c2A1khmqChtTotaoNmFT4yyF1/wRqo0sFYu/LPav+hH3VysPTzejAIun +oLdXPe5ENKyqiMT8ikzB2NR2y4tk6a01iDBqeGjiyxo920uQBq176mAACFKzOAty +IXwWAOnomCSQBETNgl7pYcgR6hzpVEFAO/PtJjVBh/z2U1FyVfeYslGt8B6S7pUh +gBj68821d2jq56P4dKPsKQKJ8MORAZ+UcwnFqjFXF+op4ArM+9nA+MfuDUSdmBTx +j1DqhxRbH8E0v36hv+/a+LT5JZtqt0iGfAdmujjdo4kehjo5woYHd32scX5ezXrt +oq1GCckL7HACWd0cILo8CKoPTxzjr2VR3qfXqyekSDQgXXh9r+y11mmP6LwpVHa0 +LjrbNtkNUoixYPozk0JMjaZ16Ie9/r4a+cUiacrJSTpSQyLucP8CJNoj5oUEac5L +l9GwgWGr8ipjeOdd0e81UmWbEZT5pdMokpW5Z31ZjIIpvnJRah8p77KE1IVnK56L +0lgyNXhm+wD9SaO7DM52 +=l7Mg +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:21/routed.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:21/routed.patch Tue Oct 21 20:48:08 2014 (r45857) @@ -0,0 +1,15 @@ +Index: sbin/routed/input.c +=================================================================== +--- sbin/routed/input.c.orig ++++ sbin/routed/input.c +@@ -288,6 +288,10 @@ + /* Answer a query from a utility program + * with all we know. + */ ++ if (aifp == NULL) { ++ trace_pkt("ignore remote query"); ++ return; ++ } + if (from->sin_port != htons(RIP_PORT)) { + supply(from, aifp, OUT_QUERY, 0, + rip->rip_vers, ap != 0); Added: head/share/security/patches/SA-14:21/routed.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:21/routed.patch.asc Tue Oct 21 20:48:08 2014 (r45857) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJURsQVAAoJEO1n7NZdz2rnWtYP/2w38OHA+dJXuXZIV0Pf1dly +6u3hpDY17pFmLfeqGB56PXZ/LhXfbFTcu9b5oNyyQpSM280gipdpsryIZ+BU1zqY +dqf+NfTLIBHUgY+wJjxpPmh5c3ofdhSBJcoC3NMNruz/f5goZ/0yJ2suI0lff6G5 +NkKs2IiFY/pfRaAxOMA63sGSVUcEzSH3GK4VeP8YpCXu0rIYjLpZJKBls/vdROMV +1YujzgdLPX7bDwClAvt0M0phfkuzt/sE/PNtMhSbFwumhkxFx8HH3pJwBABTR49h +afYvBogdV+lT4+mQV4dl+vXBgl5vT3oydOfzjlfSSXIhBQxmhnWb/vxF9vt5U6xK +5M8mhpuaYNqxq/+O3X/P/OI1eKE6f6k1ohuldHY+q2HTiCAFtaIViT1sKl4BenVQ +nDPhHx9kSNHKqc5HWwiW6jL4hlWhVXMPLTZ0EB2yoUBfbsIXiZL4/vXydjayNzOK +Q5+ke9C1khOTZ9Rw2f/BVB6s37KC5UwzinKBFuRtOnkDuKrkY9unke0fyuJ+qWK6 +Vnz1bOy0y1l8fkB7sPM06IEodQUbK6E3338aYAsbWYxAm8+Vol4F+KY7hPEqHFZf +Cp8WcPQLOuYKCT3ZR1M045c4YwsnQjK648LzwrRVSVMGXzMeCJARreFT2ic8eY5X +YTokboyN50+mxMLU7EW5 +=iu3B +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:22/namei-10.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:22/namei-10.patch Tue Oct 21 20:48:08 2014 (r45857) @@ -0,0 +1,94 @@ +Index: sys/kern/vfs_lookup.c +=================================================================== +--- sys/kern/vfs_lookup.c (revision 273277) ++++ sys/kern/vfs_lookup.c (working copy) +@@ -121,6 +121,16 @@ + * if symbolic link, massage name in buffer and continue + * } + */ ++static void ++namei_cleanup_cnp(struct componentname *cnp) ++{ ++ uma_zfree(namei_zone, cnp->cn_pnbuf); ++#ifdef DIAGNOSTIC ++ cnp->cn_pnbuf = NULL; ++ cnp->cn_nameptr = NULL; ++#endif ++} ++ + int + namei(struct nameidata *ndp) + { +@@ -185,11 +195,7 @@ + } + #endif + if (error) { +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + ndp->ni_vp = NULL; + return (error); + } +@@ -256,11 +262,7 @@ + } + } + if (error) { +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + return (error); + } + } +@@ -286,6 +288,7 @@ + if (KTRPOINT(curthread, KTR_CAPFAIL)) + ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); + #endif ++ namei_cleanup_cnp(cnp); + return (ENOTCAPABLE); + } + while (*(cnp->cn_nameptr) == '/') { +@@ -298,11 +301,7 @@ + ndp->ni_startdir = dp; + error = lookup(ndp); + if (error) { +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0, + 0, 0); + return (error); +@@ -312,11 +311,7 @@ + */ + if ((cnp->cn_flags & ISSYMLINK) == 0) { + if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) { +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + } else + cnp->cn_flags |= HASBUF; + +@@ -378,11 +373,7 @@ + vput(ndp->ni_vp); + dp = ndp->ni_dvp; + } +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + vput(ndp->ni_vp); + ndp->ni_vp = NULL; + vrele(ndp->ni_dvp); Added: head/share/security/patches/SA-14:22/namei-10.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:22/namei-10.patch.asc Tue Oct 21 20:48:08 2014 (r45857) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJURsQYAAoJEO1n7NZdz2rndqIP/2KOMzeRy8OgxKuM634A88au +yoK6vBzkShyGaW/HrOQxdz6+5WElnrIgoeb+MZ2jA8IFo97SYwOS19ygBJrknDvn +u1XSwmZ3szDj/S70oOqbmKFFabP8fjIEhaHFa/OHakvv6KfcQdRIR7paLZc4ofGQ +Vq/Zoo+v2OO88Ais6Zkty70l4ZGcnBWpglp8j9qn+0J5tJwdt3raI52KHS+LKIWs +tP8MRxGf0GPQhuD2BI1Oh+XdETCxgF4yHav68eOAaJkjOi+ZHrhyXbnPMxTkkX1R +G6rOOYVdsJR+YpllWJowSgOB3M/HnkOKovalM2r0CtEn77rjsPK6cUBBqfdlSJAk +L42S85p7guE+oEZ0CwpdX8inKPwX5YjbRVpikQoNIPKjWak/+m2adq7sii455fJ0 +yNYNb24CnOS4wiBeqbUOkAYiLplxDhmR6TbqeklaD76rEopuf8bdO04OmUPFVWkG +4uin6TIXHvtCknOEZWGnTaA00nDJoHqnlU5F5AGB1x1wJIal7zwarRfw/U3sI5uV +hZoF5iiPH7OOYy5T9p78aYvbAyyl0W4CzLlMp1HM/c/KWoxAMXTquejfDggqsUvR +abNT5XjSjw5+MA66ArZsv16SQUIedW5J8iqOsW/Fy8OXRLKJupfMHdoB8ofJ+1zF +EPc5P5t949W1/E6GZDAk +=aaVY +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:22/namei-9.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:22/namei-9.patch Tue Oct 21 20:48:08 2014 (r45857) @@ -0,0 +1,98 @@ +Index: sys/kern/vfs_lookup.c +=================================================================== +--- sys/kern/vfs_lookup.c.orig ++++ sys/kern/vfs_lookup.c +@@ -121,6 +121,16 @@ + * if symbolic link, massage name in buffer and continue + * } + */ ++static void ++namei_cleanup_cnp(struct componentname *cnp) ++{ ++ uma_zfree(namei_zone, cnp->cn_pnbuf); ++#ifdef DIAGNOSTIC ++ cnp->cn_pnbuf = NULL; ++ cnp->cn_nameptr = NULL; ++#endif ++} ++ + int + namei(struct nameidata *ndp) + { +@@ -182,11 +192,7 @@ + } + #endif + if (error) { +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + ndp->ni_vp = NULL; + return (error); + } +@@ -248,11 +254,7 @@ + } + } + if (error) { +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + return (error); + } + } +@@ -278,8 +280,10 @@ + if (*(cnp->cn_nameptr) == '/') { + vrele(dp); + VFS_UNLOCK_GIANT(vfslocked); +- if (ndp->ni_strictrelative != 0) ++ if (ndp->ni_strictrelative != 0) { ++ namei_cleanup_cnp(cnp); + return (ENOTCAPABLE); ++ } + while (*(cnp->cn_nameptr) == '/') { + cnp->cn_nameptr++; + ndp->ni_pathlen--; +@@ -293,11 +297,7 @@ + ndp->ni_startdir = dp; + error = lookup(ndp); + if (error) { +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0, + 0, 0); + return (error); +@@ -309,11 +309,7 @@ + */ + if ((cnp->cn_flags & ISSYMLINK) == 0) { + if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) { +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + } else + cnp->cn_flags |= HASBUF; + +@@ -379,11 +375,7 @@ + vput(ndp->ni_vp); + dp = ndp->ni_dvp; + } +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + vput(ndp->ni_vp); + ndp->ni_vp = NULL; + vrele(ndp->ni_dvp); Added: head/share/security/patches/SA-14:22/namei-9.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:22/namei-9.patch.asc Tue Oct 21 20:48:08 2014 (r45857) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJURsQbAAoJEO1n7NZdz2rn7+YQAKhyf2yhQ+9oppNCmzuaFuFC +XzswwLhQwCUj8J7mkKtDHlhQuAO4Cmr/MEN37CFpvx5u9w4dnhCIuvKPICRju0bN ++KJoM/R/Szapx2x4Ntc0ld+qDH1CuECF3Vpm4A4d5x6I8rTggYAiIx70UTHMyzPs +xj9m9CKB2xpt6jZvz85a3eq/PW1A9qCumGX6da6Bo2NAO0sImpjlEiRzqmrmKKYZ +5wk1L1K71dPMo6TaRw234gMRYhhSn5GG7akRRWiB37UuJNC+Y8KwqinbG4eAXSiY +KFPkSqWPvdjLzpfGBaQTYpJvzm0Dzbwf7pjfOOLVOWfjqfMF/zn9huDMFIwtNFg6 +mPg7pBK3eXz4X6p+roeImdiFKV/RVZ6IzwS5ND6uMgTk3WdrwITjfjxxXEwR423X +/olyNl+8WP3AkLn/7lE0h9l+ZDwX2cwHIEeiD3ZDUb9OAPDKO9Ip+rdN2Wgxr2PT +wTltlTKnGB1FICFY5Vw5nL8QbiRmyZ3AxxM+DJveaFPBDRYyNXLQCUpDrPXE/OOm +7ic6FWErhNJcRWR+ONzoasZgeDeggfez6IS0MzSXPTPRoERrYNwGAWcKznXzfNiw +kJPQQaKEz1FOjVD3DoPwiO6Tno/810/h+T6exy1aEr8XMe0xyangdC8fPwLP5ndh *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410212048.s9LKm9VO084176>