From owner-svn-doc-head@FreeBSD.ORG Wed Apr 30 04:32:40 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 818078F8; Wed, 30 Apr 2014 04:32:40 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6B47613E6; Wed, 30 Apr 2014 04:32:40 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3U4WeLj030152; Wed, 30 Apr 2014 04:32:40 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3U4Wc5L030142; Wed, 30 Apr 2014 04:32:38 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201404300432.s3U4Wc5L030142@svn.freebsd.org> From: Xin LI Date: Wed, 30 Apr 2014 04:32:38 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44715 - in head/share: security/advisories security/patches/SA-14:07 security/patches/SA-14:08 security/patches/SA-14:09 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2014 04:32:40 -0000 Author: delphij Date: Wed Apr 30 04:32:38 2014 New Revision: 44715 URL: http://svnweb.freebsd.org/changeset/doc/44715 Log: Add 3 new advisories: Fix devfs rules not applied by default for jails. [SA-14:07] Fix OpenSSL use-after-free vulnerability. [SA-14:08] Fix TCP reassembly vulnerability. [SA-14:09] Added: head/share/security/advisories/FreeBSD-SA-14:07.devfs.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:08.tcp.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:09.openssl.asc (contents, props changed) head/share/security/patches/SA-14:07/ head/share/security/patches/SA-14:07/devfs.patch (contents, props changed) head/share/security/patches/SA-14:07/devfs.patch.asc (contents, props changed) head/share/security/patches/SA-14:08/ head/share/security/patches/SA-14:08/tcp.patch (contents, props changed) head/share/security/patches/SA-14:08/tcp.patch.asc (contents, props changed) head/share/security/patches/SA-14:09/ head/share/security/patches/SA-14:09/openssl.patch (contents, props changed) head/share/security/patches/SA-14:09/openssl.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-14:07.devfs.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:07.devfs.asc Wed Apr 30 04:32:38 2014 (r44715) @@ -0,0 +1,149 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:07.devfs Security Advisory + The FreeBSD Project + +Topic: devfs rules not applied by default for jails + +Category: core +Module: etc_rc.d +Announced: 2014-04-30 +Affects: FreeBSD 10.0 +Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE) + 2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2) +CVE Name: CVE-2014-3001 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The device file system, or devfs(5), provides access to kernel's device +namespace in the global file system namespace. + +The devfs(5) rule subsystem provides a way for the administrator of a system +to control the attributes of DEVFS nodes. Each DEVFS mount-point has a +``ruleset'', or a list of rules, associated with it, allowing the +administrator to change the properties, including the visibility, of certain +nodes. + +II. Problem Description + +The default devfs rulesets are not loaded on boot, even when jails are used. +Device nodes will be created in the jail with their normal default access +permissions, while most of them should be hidden and inaccessible. + +III. Impact + +Jailed processes can get access to restricted resources on the host system. +For jailed processes running with superuser privileges this implies access +to all devices on the system. This level of access could lead to information +leakage and privilege escalation. + +IV. Workaround + +Systems that do not run jails are not affected. + +The system administrator can do the following to load the default ruleset: + +/etc/rc.d/devfs onestart + +Then apply the default ruleset for jails on a devfs mount using: + +devfs -m ${devfs_mountpoint} rule -s 4 applyset + +Or, alternatively, the following command will apply the ruleset over all devfs +mountpoints except the host one: + + mount -t devfs | grep -v '^devfs on /dev ' | awk '{print $3;}' | \ + xargs -n 1 -J % devfs -m % rule -s 4 applyset + +After this, the system administrator should add the following configuration +to /etc/rc.conf to make it permanent, so the above operations do not have +to be done each time the host system reboots. + + devfs_load_rulesets="YES" + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:07/devfs.patch +# fetch http://security.FreeBSD.org/patches/SA-14:07/devfs.patch.asc +# gpg --verify devfs.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch +# install -o root -g wheel -m 444 etc/defaults/rc.conf /etc/defaults/ + +Follow the steps described in the "Workaround" section, or reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r265122 +releng/10.0/ r265124 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAEBCgAGBQJTYHsGAAoJEO1n7NZdz2rnXsQP/iInaOcBlBDIsZokdpQCgAoF +eSKuD5ihYTnlUew9l7lsizOn9se8Lj692FOXWsAjVqodp+A+ew8mUYNBjrOZnPDq +HMo/yV7iYHNMUFHOOa7baeUO5M84KIGwTvaWIhMtb7QsRIn3KkJaxBL75LbTjtAa +odBrXv+/3K2aG0s7rVGtykmWaWmmo/fln27wtZTo0jzLikw3l/iSNsW7qy3RZWKh +g48nf+yNlFPhUpcNnvtjdziw04aCT9KGLfJ8csY5inM5LgLs9TcXCYoHyFqyNWeD +f0+dEbUDTp/ATppz6cCovjpFbBS6wKfg1k3JoVBNtrVOyu7+qgTQi58JnVpmLdBx +s7msIWf/LlIiA9Jz0RKEdFbRBw1UVc45Zxse8gzVRnCxIwywFEuXDPQ0a3UxnQ1c +Te0/QQ/rodS/WpELhhu3DGq3aONbznuP/NzQRSQpe1Oqr56+ATiiUo7ITXjm7fpW +iqJ9I0BfeyrP/mI3cs2D8V6hOHqrlgdOSgoUwjpNcZCkO2yo/vl0Sk/NEhMhfHYO +Wn3Dc/dQYwgFjqL1UW4WGKe/j/SW/JFLyb0+r/mIDq8Z2en1kBSHWBtvRu2hoFc+ +mMZ2UpwxBXF71zeslajuGIZ/tfIsHmGLjj6BsRQcdbinEodwIJnlDb5y/KmsBV0w +Yyigteth/aK/m3ikDCGs +=qxER +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:08.tcp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:08.tcp.asc Wed Apr 30 04:32:38 2014 (r44715) @@ -0,0 +1,154 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:08.tcp Security Advisory + The FreeBSD Project + +Topic: TCP reassembly vulnerability + +Category: core +Module: inet +Announced: 2014-04-30 +Credits: Jonathan Looney +Affects: All supported versions of FreeBSD. +Corrected: 2014-04-30 04:04:20 UTC (stable/8, 8.4-STABLE) + 2014-04-30 04:05:47 UTC (releng/8.4, 8.4-RELEASE-p9) + 2014-04-30 04:05:47 UTC (releng/8.3, 8.3-RELEASE-p16) + 2014-04-30 04:04:20 UTC (stable/9, 9.2-STABLE) + 2014-04-30 04:05:47 UTC (releng/9.2, 9.2-RELEASE-p5) + 2014-04-30 04:05:47 UTC (releng/9.1, 9.1-RELEASE-p12) + 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE) + 2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2) +CVE Name: CVE-2014-3000 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The Transmission Control Protocol (TCP) of the TCP/IP protocol suite +provides a connection-oriented, reliable, sequence-preserving data +stream service. When network packets making up a TCP stream (``TCP +segments'') are received out-of-sequence, they are maintained in a +reassembly queue by the destination system until they can be re-ordered +and re-assembled. + +II. Problem Description + +FreeBSD may add a reassemble queue entry on the stack into the segment list +when the reassembly queue reaches its limit. The memory from the stack is +undefined after the function returns. Subsequent iterations of the +reassembly function will attempt to access this entry. + +III. Impact + +An attacker who can send a series of specifically crafted packets with a +connection could cause a denial of service situation by causing the kernel +to crash. + +Additionally, because the undefined on stack memory may be overwritten by +other kernel threads, while extremely difficult, it may be possible for +an attacker to construct a carefully crafted attack to obtain portion of +kernel memory via a connected socket. This may result in the disclosure of +sensitive information such as login credentials, etc. before or even +without crashing the system. + +IV. Workaround + +It is possible to defend to these attacks by doing traffic normalization +using a firewall. This can be done by including the following /etc/pf.conf +configuration: + + scrub in all + +This requires pf(4) to be enabled, and have the mentioned configuration +loaded. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:08/tcp.patch +# fetch http://security.FreeBSD.org/patches/SA-14:08/tcp.patch.asc +# gpg --verify tcp.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r265123 +releng/8.3/ r265125 +releng/8.4/ r265125 +stable/9/ r265123 +releng/9.1/ r265125 +releng/9.2/ r265125 +stable/10/ r265122 +releng/10.0/ r265124 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAEBCgAGBQJTYHsHAAoJEO1n7NZdz2rngywP/joAE0afufOlFvOsSxeeXUWg +kNhtEQV5iXgsbu8QPwM/ikmAgg2ONGLQ47A7w7vHF98qg8jk6W1aZCcRE5lIg8hg +WP5boSFvzvTXIQCo8EsIdcbnNBEA6CrtVQOIvWtuow2z8T0MtSou78Ctq2SO0O+8 +7lY9pFYguFBgUNmVC6jpChIGJS9uZtdz2Vn697B4fOyv1pn6wenW7teOsyN+4Dyj +7Wq/qppZDrYSnd+YdveUAFCyCoYIXcsLXbeeIVJC2g8x6LlDw8swZElZL6refX6L +UPDBViI3ctAcjEgzAP1fN3d9FpA5oGJ67J9QcDxYIfTj5YrQiYoTs49ER9FD7k9Q +UxrgLamZ45/D762/IpmLHCwD+FWdzhl9wufklUptrHNIyNyovwMxQDNnoGZUIKeZ +x1fAfctXRAztISyQ5xqVw3nKLauPCSG6IniyyZ12BcFxmDvoEcyOFLqB1eN+l5DB +aJvfiA4PjWIV1nVU+w4MKKAQbHQSgh9bu8EvYUuwNrGOtP49RV1HejWD85ePSgtr +KOQ0HU8CGmTpWOMkDQBl8Ap1boP9iUOTRp/WuIxwMi+AqoKRuDrWs0sOAXIksu2s +0sgGnbI0lrg77lBW4FPvMaCg1dlzlfv4J9AExAh6Ur52qxh5GaOcI2NhYWbxvijh +5wgOBszZXV2kPRDAaJTa +=uhXC +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:09.openssl.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:09.openssl.asc Wed Apr 30 04:32:38 2014 (r44715) @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:09.openssl Security Advisory + The FreeBSD Project + +Topic: OpenSSL use-after-free vulnerability + +Category: contrib +Module: openssl +Announced: 2014-04-30 +Affects: FreeBSD 10.x. +Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE) + 2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2) +CVE Name: CVE-2010-5298 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) +and Transport Layer Security (TLS v1) protocols as well as a full-strength +general purpose cryptography library. + +OpenSSL context can be set to a mode called SSL_MODE_RELEASE_BUFFERS, which +requests the library to release the memory it holds when a read or write buffer +is no longer needed for the context. + +II. Problem Description + +The buffer may be released before the library have finished using it. It is +possible that a different SSL connection in the same process would use the +released buffer and write data into it. + +III. Impact + +An attacker may be able to inject data to a different connection that they +should not be able to. + +IV. Workaround + +No workaround is available, but systems that do not use OpenSSL to implement +the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) +protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process +to handle multiple SSL connections, are not vulnerable. + +The FreeBSD base system service daemons and utilities do not use the +SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this +mode to reduce their memory footprint and may therefore be affected by this +issue. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch +# fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch.asc +# gpg --verify openssl.patch.asc + +Restart all deamons using the library, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r265122 +releng/10.0/ r265124 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAEBCgAGBQJTYHsHAAoJEO1n7NZdz2rn2EsP+wYlobS4EiYtgspXAFgKLha1 +0aeA7UokUs21QRTV9tIiFD0Se5HwdmHdh94bRJMRFraU22QYbAelG5GPsZPdRCt4 +0ECLKUBDK6ng2M7UNyKhkstsL0+wBq6y5dzKjpR49QX4Vh2zEUYw5BcC5vrIk+YK +Qazq8l1t5bl9ebm9rIDmd2uCv/Qe1MgnMlAczeH9HckfzMiH6NhnAuiYpP7K0mIL +By6gpSxsHPeQShgJN/5kJjVGkdQK1/A1q0KnNf5r/itQdSC96NazKpCCpkud6RMm +k9aPxI5As5Scl70zuCUDAS6vbNI3dvzCU46k8t65/FTeYQO2lxje0QZpqaDiB3+2 +tbN5kDviQdWHlJyygCeNK3jxdv0H3+zUZidjPuo158Zcbhb4ckTEZtMtgTn0fRoY +alG8qLn3hLj51fPHQK3Ff96xL+1DrhT+3D18OYIbjx7LKtsJJbnorB3jrbW68Ggr +h0bW+8yAm1jDFM4kPQw6gcrmtyjxNhnVRLoeoBPSIkmS9cm+12YcXufbSyLm/WqG +hkpPCrvUXibZmLi0CDlRMhLkjaOUhEXQsV3OR0gCmuFtN52gncyrIoPaxs79HZ1A +g2JxLp7b56B2XOyakEmNc+rqJJkzi+LV8HTp5DcrbXjAunYk9ipfxPakqXFDD6jV +L3ElC6aFDJ2UchtmjBRk +=Y+tE +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:07/devfs.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:07/devfs.patch Wed Apr 30 04:32:38 2014 (r44715) @@ -0,0 +1,13 @@ +Index: etc/defaults/rc.conf +=================================================================== +--- etc/defaults/rc.conf (revision 265059) ++++ etc/defaults/rc.conf (working copy) +@@ -649,7 +649,7 @@ + devfs_system_ruleset="" # The name (NOT number) of a ruleset to apply to /dev + devfs_set_rulesets="" # A list of /mount/dev=ruleset_name settings to + # apply (must be mounted already, i.e. fstab(5)) +-devfs_load_rulesets="NO" # Enable to always load the default rulesets ++devfs_load_rulesets="YES" # Enable to always load the default rulesets + performance_cx_lowest="HIGH" # Online CPU idle state + performance_cpu_freq="NONE" # Online CPU frequency + economy_cx_lowest="HIGH" # Offline CPU idle state Added: head/share/security/patches/SA-14:07/devfs.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:07/devfs.patch.asc Wed Apr 30 04:32:38 2014 (r44715) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAABCgAGBQJTYHsHAAoJEO1n7NZdz2rn4JoQAKTCSA9tdJAJXkdlJb+ZgX9N +iPCFkpMBHUFLBX3JR2OXCtb+bLaw+Q9//tnONk+52VBgSX6rcNEHsGpcbPA0oUcF +fhQ7XGbrAKrCtJpwOW87tlq0VJBNg1XOEK+hioM+eSiY8KruQZDsM7Aa60zQV4n9 +izTtaEmjUHXiwEKcrdOHrHX3blL4ZI4loX8VOQsUXeKJcxIY0ikTqKct/D4cKvQg +1e+DFroOv1eTfML01U36KPadqGrDNBwP07REIhqhlFqjnC2GKbdnh5TpHqpsGqmx +U0+h52JE2BtrLP5lZ8Pc5uqZCg+1G/UWAGt+GsTbnPnGYjgWClWmzrU7XQxShmma +HknWfsmNosOc9Cl8+/jcZuU6f/YNFH++s778P7Y6NXTXBI5RY5d0X44dRwO07ARq +nYX/P+lqiPHpWSBFdGkjlq8rFIF24bMBRbBfc7GzW2GEZcVnhfmYQiYpOyvOpLpn +T3pVPhalbNX1cFqR85mV2N3M0uLi5X56Ahw4P/YubRMXVqGqnHbUtjh4+zgpf2Sn +36Y1IuC8bLYqXewe+yeziz3lQPOOha0xDyx+MBBnI4alXR2fswcWCdkUn1IeAw+o +BxWBjy8373XnxHoOStLoL+O90PPEvCNYPJTXy38OO0bHEYMBvm1L0z2Q0JX9f8os +6h27mvRbLKelL5uRalcq +=rRKI +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:08/tcp.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:08/tcp.patch Wed Apr 30 04:32:38 2014 (r44715) @@ -0,0 +1,32 @@ +Index: sys/netinet/tcp_reass.c +=================================================================== +--- sys/netinet/tcp_reass.c (revision 264836) ++++ sys/netinet/tcp_reass.c (working copy) +@@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int + * Investigate why and re-evaluate the below limit after the behaviour + * is understood. + */ +- if (th->th_seq != tp->rcv_nxt && ++ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && + tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { + V_tcp_reass_overflows++; + TCPSTAT_INC(tcps_rcvmemdrop); +@@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int + */ + te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); + if (te == NULL) { +- if (th->th_seq != tp->rcv_nxt) { ++ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { + TCPSTAT_INC(tcps_rcvmemdrop); + m_freem(m); + *tlenp = 0; +@@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int + TCPSTAT_INC(tcps_rcvduppack); + TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); + m_freem(m); +- uma_zfree(V_tcp_reass_zone, te); ++ if (te != &tqs) ++ uma_zfree(V_tcp_reass_zone, te); + tp->t_segqlen--; + /* + * Try to present any queued data Added: head/share/security/patches/SA-14:08/tcp.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:08/tcp.patch.asc Wed Apr 30 04:32:38 2014 (r44715) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAABCgAGBQJTYHsIAAoJEO1n7NZdz2rn4+gP/jJtvvI8bBFC/GwM9Au9uoMX +unxJheHR1+CJatBvdYloTWYFxSY11r8/gx2OCO+LmthgbISImbzRpNJUYFM1UrKc +zyNDakOzN94GViKfvBk33+R6zZyl7DDumjHtBPfldh3wWq3MZFJWOv0bXIJGGeUL +wMx8pdS3D15hjumSFWNz8W0B9H7aTr7fOlPw29VhR43EJKDAS9Zh//2249KmvMHG +6WnDtjZ3ECwU9ULtIooQGasSQK4Lr03L8Ok+cAl4gD+RZb+XAsHvIXfC9ZSzwEjx +t6p9cjTackdctgbXgIZyTFPjsV5QxVzqhRfWbL3Ykraa0bm0F4s3b67GlNF5krqg +1WUkw8dwSJ+f2QKe3rjLIp9UioF6x1eGw2Eh6VB46SGHt2ZRhLtLoDjz2Yv5p+IV +63azOIfxouvpK7N27EaEiRQCf+Ulo2+2nB2xUsdXnXXsGYwQK3xYcxk8fi8V/lXx +wbJztnD0KnlY/ms82nNgmd15o+8bckymSlsvZWCFLhiOfJpT9zmRDUZMrBFUFb7H +lr3yW5RmxwGx/t3y1fiH96ZwnmoQkwhNNSkbi8CoaVLXPSNwGe+W2DpMxC1T+LNc +WCCwwtWdrIKysQkV0N2esohPby0OOqpg6mhKSF6jkYookryKgGrfyr7jfSrOlG7N +h/vSkWl6T/d3uhWrEkno +=Ig1P +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:09/openssl.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:09/openssl.patch Wed Apr 30 04:32:38 2014 (r44715) @@ -0,0 +1,13 @@ +Index: crypto/openssl/ssl/s3_pkt.c +=================================================================== +--- crypto/openssl/ssl/s3_pkt.c (revision 265054) ++++ crypto/openssl/ssl/s3_pkt.c (working copy) +@@ -1055,7 +1055,7 @@ start: + { + s->rstate=SSL_ST_READ_HEADER; + rr->off=0; +- if (s->mode & SSL_MODE_RELEASE_BUFFERS) ++ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) + ssl3_release_read_buffer(s); + } + } Added: head/share/security/patches/SA-14:09/openssl.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:09/openssl.patch.asc Wed Apr 30 04:32:38 2014 (r44715) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAABCgAGBQJTYHsIAAoJEO1n7NZdz2rnXW4QAOUbg8DpatUc/RbzTsQErhqI +HpxblP5yry0FkEXKU242ISjfeWEdq8TcnrheXwBGwOu09HK+et435I3TmAkLwhxN +X+pwmhVL5zgFykL/q+CfidiqdM6hSA1ucUxKgsa3bDGh0k1VLxrkB+ZRa9pFJmMF +tkI39NewPUoI7aBLy4P54ifOXKh9XFKwidxf55m+2XCIcLQftJ6QWcnGpRYZCOEs +CkUDwpmVPS/7nszif2mLtM9WHdiNme951GTBm1WKlqDy9+fajlk/Wxz6QxcAfdwj +3nZ75AVyPc9oSVl3iTRhYVUj2TiO+IQjoxCTMjEc/+HcIylXXxLxyPhQwm6rGW9H +bJudJIV3ysmOa/0PMZyYld0+xt1wepWwTKns3JcmEApkjmt768ZGH1a1aH4i8Gde +ksVxnipQtg2n0KaVJG5y0SlFt0RG8kJQBvLJoplz0PKL833hfpFkApHkuILjjjqk +z2VchAGSGa9hQRh+pGdufSqezXNYpZ120iTgTNbzuhGpBrWEWj/cC50ieQMlQE3l +r7GNFJDmxJUnj4TRjMqWaJg0IOdhPqnjwQ6OmMi+wl87JLKqnLWQWbk4hIh8tnTU +hr44gjb5tVJMDmwg+Lft7h4Ziq7f3uAUeolY8YOkcoYtCXNnrXmRmiO2LMafj+E4 +7IIuPElJQFIzvoTsFTDI +=nMI1 +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Apr 29 21:58:22 2014 (r44714) +++ head/share/xml/advisories.xml Wed Apr 30 04:32:38 2014 (r44715) @@ -11,6 +11,22 @@ 4 + 30 + + + FreeBSD-SA-14:09.openssl + + + + FreeBSD-SA-14:08.tcp + + + + FreeBSD-SA-14:07.devfs + + + + 08