From owner-svn-doc-head@freebsd.org Wed Nov 4 11:52:14 2015 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EBD66A257ED; Wed, 4 Nov 2015 11:52:14 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ABB14195F; Wed, 4 Nov 2015 11:52:14 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tA4BqD4h081670; Wed, 4 Nov 2015 11:52:13 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id tA4BqDU1081661; Wed, 4 Nov 2015 11:52:13 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201511041152.tA4BqDU1081661@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Wed, 4 Nov 2015 11:52:13 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r47736 - in head/share: security/advisories security/patches/EN-15:19 security/patches/EN-15:20 security/patches/SA-15:25 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2015 11:52:15 -0000 Author: glebius (src committer) Date: Wed Nov 4 11:52:12 2015 New Revision: 47736 URL: https://svnweb.freebsd.org/changeset/doc/47736 Log: o Fix regressions related to SA-15:25 upgrade of NTP. [1] o Fix kqueue write events never fired for files greater 2GB. [2] o Fix kpplications exiting due to segmentation violation on a correct memory address. [3] PR: 204046 [1] PR: 204203 [1] Errata Notice: FreeBSD-EN-15:19.kqueue [2] Errata Notice: FreeBSD-EN-15:20.vm [3] Approved by: so Added: head/share/security/advisories/FreeBSD-EN-15:19.kqueue.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-15:20.vm.asc (contents, props changed) head/share/security/patches/EN-15:19/kqueue.patch (contents, props changed) head/share/security/patches/EN-15:19/kqueue.patch.asc (contents, props changed) head/share/security/patches/EN-15:20/vm.patch (contents, props changed) head/share/security/patches/EN-15:20/vm.patch.asc (contents, props changed) head/share/security/patches/SA-15:25/ntp-101-inc.patch (contents, props changed) head/share/security/patches/SA-15:25/ntp-101-inc.patch.asc (contents, props changed) head/share/security/patches/SA-15:25/ntp-101.patch.xz (contents, props changed) head/share/security/patches/SA-15:25/ntp-102-inc.patch (contents, props changed) head/share/security/patches/SA-15:25/ntp-102-inc.patch.asc (contents, props changed) head/share/security/patches/SA-15:25/ntp-102.patch.xz (contents, props changed) head/share/security/patches/SA-15:25/ntp-93-inc.patch (contents, props changed) head/share/security/patches/SA-15:25/ntp-93-inc.patch.asc (contents, props changed) head/share/security/patches/SA-15:25/ntp-93.patch.xz (contents, props changed) Directory Properties: head/share/security/patches/EN-15:19/ (props changed) head/share/security/patches/EN-15:20/ (props changed) Deleted: head/share/security/patches/SA-15:25/ntp-101.patch.bz2 head/share/security/patches/SA-15:25/ntp-102.patch.bz2 head/share/security/patches/SA-15:25/ntp-93.patch.bz2 Modified: head/share/security/advisories/FreeBSD-SA-15:25.ntp.asc head/share/security/patches/SA-15:25/ntp-101.patch.asc head/share/security/patches/SA-15:25/ntp-102.patch.asc head/share/security/patches/SA-15:25/ntp-93.patch.asc head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-15:19.kqueue.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-15:19.kqueue.asc Wed Nov 4 11:52:12 2015 (r47736) @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-15:19.kqueue Errata Notice + The FreeBSD Project + +Topic: kqueue write events for files greater 2GB would never fire + +Category: core +Module: kern +Announced: 2015-11-04 +Credits: Steven Hartland +Affects: All supported versions of FreeBSD. +Corrected: 2015-09-24 08:42:08 UTC (stable/10, 10.2-STABLE) + 2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7) + 2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24) + 2015-09-24 09:35:35 UTC (stable/9, 9.3-STABLE) + 2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security branches, +and the following sections, please visit +. + +I. Background + +The kqueue(2) system call provides a generic method of notifying the user +when an event happens or a condition holds, based on the results of small +pieces of kernel code termed filters. + +II. Problem Description + +Due to int usage for file offsets in the VOP_WRITE_(PRE|POST) macros, +kqueue(2) write events for files greater 2GB where never fired. + +III. Impact + +Any kqueue(2) consumer monitoring for file changes will fail to receive an +event if the monitored file is greater than 2GB. + +This causes commands such as 'tail -f' to never see updates. + +IV. Workaround + +For the specific case of tail(1), using '-F' instead of '-f' avoids the +issue, however other consumers of kqueue(2) events to monitor files do not +have a workaround. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot the system. + +2) To update your present system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +And reboot the system. + +3) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-15:19/kqueue.patch +# fetch https://security.FreeBSD.org/patches/EN-15:19/kqueue.patch.asc +# gpg --verify kqueue.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r288168 +releng/9.3/ r290363 +stable/10/ r288167 +releng/10.1/ r290362 +releng/10.2/ r290361 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this Errata Notice is available at +https://security.FreeBSD.org/advisories/FreeBSD-EN-15:19.kqueue.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAEBCgAGBQJWOe7vAAoJEO1n7NZdz2rneAkP/0FCRnyH6vkJFZBbfdIQY5u7 +XPSbSD+2847aJRWw/xU+FWHsFjjcfKrvKqgRtdZXkTBe3FjTgiNbf6jQRCSy0f6u +odcPXt4ZprXmhn6BOsyF92NgDHE5VXIiO1h0Jz1Y/+PTi/52BjNbevGUox6VpbMc +t9XwxuARKG5bSNU+QdWdilP4H//+SAxuhK4Y96i6pccbT51DoO3ACCa8EpuOJYW9 +elXTQbB4XC1n0EATr5gtTwKE+5/yPDEgl9pPNjsN8UTWCqzPwxPTwfplf3idN5Vq +Oe5YIiI5aaAE16fSYUkIZR0kZ/ScR6gbmc2ALKRtHPa4+9g9TpNINpfmreV2htfH +CrUW4qGZaoABpX1X2sFJ6su2NCgW3DliOuSAJUyK8Re2XEJZVfcVauyWaZxocJhu +NRoH8yBoLJKrPB0Z3Dr9eygmDNGEvaFUB/ZpbeCbyebwyFTmTMUshwfZwcfPftaB +bNd+R4J9UkY5wJWYUve7VpGDY2L6+j2MoPnlZJDfZZpYmFByD/GmdV5Pxxl4yEj3 +2DBevZIGOGlH9E26JrPTcCYjkX15OS0KUkWQy7xv1jdxXCZ4AVbRq8CRiFdQ2JPU +uSsrwgrGPdYkku0k6xXbb5YDw4475lQPAy9gMSeEDCqcl4GjKf1AVbrN9Jq73C8o +c65YAK83vX3x9HDWCrss +=OODP +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-15:20.vm.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-15:20.vm.asc Wed Nov 4 11:52:12 2015 (r47736) @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-15:20.vm Errata Notice + The FreeBSD Project + +Topic: Applications exiting due to segmentation violation + on a correct memory address + +Category: core +Module: kernel +Announced: 2015-11-04 +Credits: Konstantin Belousov +Affects: All supported versions of FreeBSD. +Corrected: 2015-09-15 04:20:39 UTC (stable/10, 10.2-STABLE) + 2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7) + 2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24) + 2015-10-30 13:05:39 UTC (stable/9, 9.3-STABLE) + 2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The FreeBSD virtual memory system provides processes with virtual +address space. Features of virtual address space include copy-on-write +pages and page wiring. + +II. Problem Description + +A race condition exists in the virtual memory implementation. When an +application writes to a valid address in its address space, and the +corresponding map entry is marked as copy-on-write, and right now +undergoes wiring process, and the corresponding page does not yet have +a page table entry installed, the application receives a segmentation +violation signal. A usual case for this scenario to happen is a write +into a never written map entry in a child process right after fork(2) +system call. + +III. Impact + +Under certain conditions, a correctly behaving application could be +terminated. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# reboot + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-15:20/vm.patch +# fetch https://security.FreeBSD.org/patches/EN-15:20/vm.patch.asc +# gpg --verify vm.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r290194 +releng/9.3/ r290363 +stable/10/ r287846 +releng/10.1/ r290362 +releng/10.2/ r290361 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAEBCgAGBQJWOe8FAAoJEO1n7NZdz2rnqBcP/2XPJ87Fr1b7I1i0R8ClJj5G +Kk+pGD+OkZF9h7ix0b1NrSBjB2quCFUy+u8ImPXMkSZM0Id7hAIX0VourkqcoHSL +CrsYTUXyqq4KU3E7xvoU4Q54cnDAd3hHIm9Gsduv1UNY02YBI/mRYqiMVnXKHGk/ +SLlmMtFCmLkXHJP5/Ynx1xILWC9c2xYLqfvlLbkTTbmtZn8gAQqgh1kfuEkzEvt4 +sgXx8kewUnv9Z2Oo+Xcqqrh5UfeppDEc7x8Y7a4tiSkW034xMETzC0xjrbq+4lE1 +2MU/j65ZN5Sq5EjrmHdnr5q0R7/V4CHjRcLAvw2UaVpNlfMNmVpe5uye/slUDRw0 +gCcztomi1heU78octR71kD0irhRVa+bcftsuanDRF8hs0czJL5BhPYyIaEb7e4s5 +tGQyyflncD4EONbI/rmfsQhLEaTTg240NtkZbQFY1f5FqoyFiKXX99Hwm1jHZsRR +OYGOAo3YZPx6biRdaIOPg0OTjqNw/mZgY3uQ/vCjWGAcgSzynDMkMJEOmyf+RBgZ +F4qWOxmmFMr9+X1+1c7/ApwjampmfCV/Z7UvJTaFkVuKPiFA4ubrJ3TmDLsQMzza +k9zumzxZAo+tsYD8ArbpPYlERe6JoF3axm/97JcFrn5iUcnaMM8vmawQo8xsrunx +GyLfwUPpXSI25C1iNJDx +=HTKc +-----END PGP SIGNATURE----- Modified: head/share/security/advisories/FreeBSD-SA-15:25.ntp.asc ============================================================================== --- head/share/security/advisories/FreeBSD-SA-15:25.ntp.asc Wed Nov 4 11:47:00 2015 (r47735) +++ head/share/security/advisories/FreeBSD-SA-15:25.ntp.asc Wed Nov 4 11:52:12 2015 (r47736) @@ -1,22 +1,22 @@ -----BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 +Hash: SHA512 ============================================================================= FreeBSD-SA-15:25.ntp Security Advisory The FreeBSD Project -Topic: Multiple vulnerabilities of ntp +Topic: Multiple vulnerabilities of ntp [REVISED] Category: contrib Module: ntp -Announced: 2015-10-26 +Announced: 2015-10-26, revised on 2015-11-04 Credits: Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) - 2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6) - 2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23) - 2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE) - 2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29) + 2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7) + 2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24) + 2015-11-02 10:39:26 UTC (stable/9, 9.3-STABLE) + 2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30) CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, @@ -26,6 +26,12 @@ For general information regarding FreeBS including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/. +0. Revision history. + +v1.0 2015-10-26 Initial release. +v1.1 2015-11-04 Revised patches to address regression in ntpq(8), ntpdc(8) + utilities and lack of RAWDCF reference clock support in ntpd(8). + I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) @@ -36,125 +42,120 @@ II. Problem Description Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication -required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and -10.1 are not affected. +required to mobilize peer associations. [CVE-2015-7871] +FreeBSD 9.3 and 10.1 are not affected. -If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusual +If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusually long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning -a failure condition. [CVE-2015-7855] +a failure condition. [CVE-2015-7855] -If ntpd(8) is configured to allow remote configuration, and if the -(possibly spoofed) source IP address is allowed to send remote -configuration requests, and if the attacker knows the remote -configuration password or if ntpd(8) was configured to disable -authentication, then an attacker can send a set of packets to ntpd(8) that -may cause it to crash, with the hypothetical possibility of a small code -injection. [CVE-2015-7854] +If ntpd(8) is configured to allow remote configuration, and if the (possibly +spoofed) source IP address is allowed to send remote configuration requests, +and if the attacker knows the remote configuration password or if ntpd(8) +was configured to disable authentication, then an attacker can send a set +of packets to ntpd(8) that may cause it to crash, with the hypothetical +possibility of a small code injection. [CVE-2015-7854] A negative value for the datalen parameter will overflow a data buffer. -NTF's ntpd(8) driver implementations always set this value to 0 and are -therefore not vulnerable to this weakness. If you are running a custom +The NTF ntpd(8) driver implementation always sets this value to 0 and are +therefore not vulnerable to this weakness. If the system runs a custom refclock driver in ntpd(8) and that driver supplies a negative value for -datalen (no custom driver of even minimal competence would do this) -then ntpd would overflow a data buffer. It is even hypothetically -possible in this case that instead of simply crashing ntpd the -attacker could effect a code injection attack. [CVE-2015-7853] +datalen (no custom driver of even minimal competence would do this), then +ntpd(8) would overflow the data buffer. It is even hypothetically possible +in this case that instead of simply crashing ntpd(8), the attacker could +effect a code injection attack. [CVE-2015-7853] If an attacker can figure out the precise moment that ntpq(8) is listening -for data and the port number it is listening on or if the attacker can -provide a malicious instance ntpd(8) that victims will connect to then an -attacker can send a set of crafted mode 6 response packets that, if -received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] - -If ntpd(8) is configured to allow remote configuration, and if the -(possibly spoofed) IP address is allowed to send remote configuration -requests, and if the attacker knows the remote configuration password -or if ntpd(8) was configured to disable authentication, then an attacker -can send a set of packets to ntpd that may cause ntpd(8) to overwrite -files. [CVE-2015-7851]. The default configuration of ntpd(8) within -FreeBSD does not allow remote configuration. - -If ntpd(8) is configured to allow remote configuration, and if the -(possibly spoofed) source IP address is allowed to send remote -configuration requests, and if the attacker knows the remote -configuration password or if ntpd(8) was configured to disable -authentication, then an attacker can send a set of packets to ntpd -that will cause it to crash and/or create a potentially huge log -file. Specifically, the attacker could enable extended logging, -point the key file at the log file, and cause what amounts to an -infinite loop. [CVE-2015-7850]. The default configuration of ntpd(8) -within FreeBSD does not allow remote configuration. - -If ntpd(8) is configured to allow remote configuration, and if the -(possibly spoofed) source IP address is allowed to send remote -configuration requests, and if the attacker knows the remote -configuration password or if ntpd was configured to disable -authentication, then an attacker can send a set of packets to -ntpd that may cause a crash or theoretically perform a code -injection attack. [CVE-2015-7849]. The default configuration of ntpd(8) -within FreeBSD does not allow remote configuration. - -If ntpd(8) is configured to enable mode 7 packets, and if the use -of mode 7 packets is not properly protected thru the use of the -available mode 7 authentication and restriction mechanisms, and -if the (possibly spoofed) source IP address is allowed to send -mode 7 queries, then an attacker can send a crafted packet to -ntpd that will cause it to crash. [CVE-2015-7848]. The default -configuration of ntpd(8) within FreeBSD does not allow mode 7 +for data and the port number on which it is listening, or if the attacker +can provide a malicious instance ntpd(8) that victims will connect to, then +an attacker can send a set of crafted mode 6 response packets that, if +received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] + +If ntpd(8) is configured to allow remote configuration, and if the (possibly +spoofed) IP address is allowed to send remote configuration requests, and if +the attacker knows the remote configuration password or if ntpd(8) was +configured to disable authentication, then an attacker can send a set of +packets to ntpd that may cause ntpd(8) to overwrite files. [CVE-2015-7851] +The default configuration of ntpd(8) within FreeBSD does not allow remote +configuration. + +If ntpd(8) is configured to allow remote configuration, and if the (possibly +spoofed) source IP address is allowed to send remote configuration +requests, and if the attacker knows the remote configuration password or if +ntpd(8) was configured to disable authentication, then an attacker can send +a set of packets to ntpd that will cause it to crash and/or create +a potentially huge log file. Specifically, the attacker could enable +extended logging, point the key file at the log file, and cause what amounts +to an infinite loop. [CVE-2015-7850] +The default configuration of ntpd(8) within FreeBSD does not allow remote +configuration. + +If ntpd(8) is configured to allow remote configuration, and if the (possibly +spoofed) source IP address is allowed to send remote configuration requests, +and if the attacker knows the remote configuration password or if ntpd(8) was +configured to disable authentication, then an attacker can send a set of +packets to ntpd(8) that may cause a crash or theoretically perform a code +injection attack. [CVE-2015-7849] +The default configuration of ntpd(8) within FreeBSD does not allow remote +configuration. + +If ntpd(8) is configured to enable mode 7 packets, and if the use of mode 7 +packets is not properly protected through the use of the available mode 7 +authentication and restriction mechanisms, and if the (possibly spoofed) +source IP address is allowed to send mode 7 queries, then an attacker can +send a crafted packet to ntpd that will cause it to crash. [CVE-2015-7848] +The default configuration of ntpd(8) within FreeBSD does not allow mode 7 packets. -If ntpd(8) is configured to use autokey, then an attacker can send -packets to ntpd that will, after several days of ongoing attack, -cause it to run out of memory. [CVE-2015-7701]. The default -configuration of ntpd(8) within FreeBSD does not use autokey. - -If ntpd(8) is configured to allow for remote configuration, and if -the (possibly spoofed) source IP address is allowed to send -remote configuration requests, and if the attacker knows the -remote configuration password, it's possible for an attacker -to use the "pidfile" or "driftfile" directives to potentially -overwrite other files. [CVE-2015-5196]. The default configuration -of ntpd(8) within FreeBSD does not allow remote configuration +If ntpd(8) is configured to use autokey, then an attacker can send packets to +ntpd that will, after several days of ongoing attack, cause it to run out of +memory. [CVE-2015-7701] +The default configuration of ntpd(8) within FreeBSD does not use autokey. + +If ntpd(8) is configured to allow for remote configuration, and if the +(possibly spoofed) source IP address is allowed to send remote configuration +requests, and if the attacker knows the remote configuration password, it is +possible for an attacker to use the "pidfile" or "driftfile" directives to +potentially overwrite other files. [CVE-2015-5196] +The default configuration of ntpd(8) within FreeBSD does not allow remote +configuration An ntpd(8) client that honors Kiss-of-Death responses will honor -KoD messages that have been forged by an attacker, causing it -to delay or stop querying its servers for time updates. Also, -an attacker can forge packets that claim to be from the target -and send them to servers often enough that a server that -implements KoD rate limiting will send the target machine a -KoD response to attempt to reduce the rate of incoming packets, -or it may also trigger a firewall block at the server for -packets from the target machine. For either of these attacks -to succeed, the attacker must know what servers the target -is communicating with. An attacker can be anywhere on the -Internet and can frequently learn the identity of the target's -time source by sending the target a time query. [CVE-2015-7704] - -The fix for CVE-2014-9750 was incomplete in that there were -certain code paths where a packet with particular autokey -operations that contained malicious data was not always being -completely validated. Receipt of these packets can cause ntpd -to crash. [CVE-2015-7702]. The default configuration of ntpd(8) -within FreeBSD does not use autokey. +Kiss-of-Death messages that have been forged by an attacker, causing it to +delay or stop querying its servers for time updates. Also, an attacker can +forge packets that claim to be from the target and send them to servers +often enough that a server that implements Kiss-of-Death rate limiting will +send the target machine a Kiss-of-Death response to attempt to reduce the +rate of incoming packets, or it may also trigger a firewall block at the +server for packets from the target machine. For either of these attacks to +succeed, the attacker must know what servers the target is communicating +with. An attacker can be anywhere on the Internet and can frequently learn +the identity of the time source of a target by sending the target a time +query. [CVE-2015-7704] + +The fix for CVE-2014-9750 was incomplete in that there were certain code +paths where a packet with particular autokey operations that contained +malicious data was not always being completely validated. Receipt of these +packets can cause ntpd to crash. [CVE-2015-7702]. +The default configuration of ntpd(8) within FreeBSD does not use autokey. III. Impact -An attacker which can send NTP packets to ntpd(8), which uses cryptographic +An attacker which can send NTP packets to ntpd(8) which uses cryptographic authentication of NTP data, may be able to inject malicious time data -causing the system clock to be set incorrectly. [CVE-2015-7871] +causing the system clock to be set incorrectly. [CVE-2015-7871] -An attacker which can send NTP packets to ntpd(8), can block the -communication of the daemon with time servers, causing the system -clock not being synchronized. [CVE-2015-7704] +An attacker which can send NTP packets to ntpd(8) can block the communication +of the daemon with time servers, causing the system clock not being +synchronized. [CVE-2015-7704] -An attacker which can send NTP packets to ntpd(8), can remotely crash -the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854] +An attacker which can send NTP packets to ntpd(8) can remotely crash the +daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854] [CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848] -An attacker which can send NTP packets to ntpd(8), can remotely -trigger the daemon to overwrite its configuration files. [CVE-2015-7851] -[CVE-2015-5196] +An attacker which can send NTP packets to ntpd(8) can remotely trigger the +daemon to overwrite its configuration files. [CVE-2015-7851] [CVE-2015-5196] IV. Workaround @@ -191,28 +192,50 @@ FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. -[FreeBSD 10.2] -# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2 -# bunzip2 ntp-102.patch.bz2 +[*** v1.1 NOTE ***] If your sources are not yet patched using initial +advisory patches, then you need to apply full patches named ntp-NNN.patch, +where NNN stands for the release version. If your sources are already +updated, or patched with patches from initial advisory, then you need to +apply incremental patches, named ntp-NNN-inc.patch, where NNN stands for +the release version. + +[FreeBSD 10.2-RELEASE-p5, not patched with initial SA-15:25 patch] +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.xz +# unxz ntp-102.patch.xz # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc # gpg --verify ntp-102.patch.asc -[FreeBSD 10.1] -# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2 -# bunzip2 ntp-101.patch.bz2 +[FreeBSD 10.1-RELEASE-p22, not patched with initial SA-15:25 patch] +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.xz +# unxz ntp-101.patch.xz # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc # gpg --verify ntp-101.patch.asc -[FreeBSD 9.3] -# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.bz2 -# bunzip2 ntp-93.patch.bz2 +[FreeBSD 9.3-RELEASE-p28, not patched with initial SA-15:25 patch] +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.xz +# unxz ntp-93.patch.xz # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc # gpg --verify ntp-93.patch.asc +[FreeBSD 10.2-RELEASE-p6, initial SA-15:25 patch applied] +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102-inc.patch +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102-inc.patch.asc +# gpg --verify ntp-102-inc.patch.asc + +[FreeBSD 10.1-RELEASE-p23, initial SA-15:25 patch applied] +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101-inc.patch +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101-inc.patch.asc +# gpg --verify ntp-101-inc.patch.asc + +[FreeBSD 9.3-RELEASE-p29, initial SA-15:25 patch applied] +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93-inc.patch +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93-inc.patch.asc +# gpg --verify ntp-93-inc.patch.asc + b) Apply the patch. Execute the following commands as root: # cd /usr/src -# patch < /path/to/patch +# patch -p0 < /path/to/patch # find contrib/ntp -type f -empty -delete c) Recompile the operating system using buildworld and installworld as @@ -231,11 +254,11 @@ affected branch. Branch/path Revision - ------------------------------------------------------------------------- -stable/9/ r289998 -releng/9.3/ r290001 +stable/9/ r290269 +releng/9.3/ r290363 stable/10/ r289997 -releng/10.1/ r290000 -releng/10.2/ r289999 +releng/10.1/ r290362 +releng/10.2/ r290361 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the @@ -269,17 +292,17 @@ https://security.FreeBSD.org/advisories/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 -iQIcBAEBAgAGBQJWLhOJAAoJEO1n7NZdz2rn91wP/2GwEt1boNQq2a7nYzv/mS5D -sYKkIi7o+2yr2BLXvtc3O7c9QC3/YeGsza9DTRqndcY572SWvRgtkFstMTTm8IV/ -RVlIE40gVR3tex0zo7BiD7uKUrxWxWcpwMbE5dzlE+vSybyyj0dSSkwUHJjrbJoA -RmyNuEEUhQn5sRCg6qJv/PLp2G7BcYAasKScukjm7QnLP2kq/tvM9mcqwfh2tadM -7kbf8uq+ykvsRzctaDnxQaB5+zJxBQYJjBelxQfIkNek0XGfdj3sRwISeFznbllq -mOLTIBaFiuEtHtusO7MKKavMgS5CQJOvuuvd/l3NY1MnxC6X/1SWig9KIKDIn/hv -q8dsnq7LLx+tO6Cv4Dub7EbC2ZP3xXGOC4Ie02z8bTZnbX7iwyPUidQQqtU9ra15 -rxzFcZnBxu+yyMNJVsV2qVV/r9OycgKxWlEELC1wYrK9fKfvLdA5aEGjDeU1Z+s6 -JS2zKr0t4F2bMrCsjYP1lQD8sHkCVjwJk+IJU/slcwSajDjBNlMH0yBxGYE1ETIZ -qMF7/PAkLe8V78pdYmXw9pcaPyhI+ihPLnNrdhX8AI2RX5jDK7IuUNJeUM04UrVB -8N+mMwgamcuCPWNNyXaL0bz21fexZOuhHmU+B8Yn3SFX5O5b/r9gGvrjo8ei8jOk -EUlBT3ViDhHNrI7PTaiI -=djPm +iQIcBAEBCgAGBQJWOe7GAAoJEO1n7NZdz2rnzLUQAOugJiyGHZFYllUnCF/EBFoo +UIKc3RjWAqreJ5Mg0upKqI7i2oHw4/VjxVjdvwdp7E5t6b+/LYA5jDCfO/RcuMMS +SZDyC2BWGq8kkSuwNZmo1js1WRUsdpTQPr3TLvoTh/o1w5D0ncLgqJz7IeuqlHer +2VG5yJP30OUyF1cdk4E9LJcDXx24u8iP0DN5e/0XJGST5/trp/+VYpMy7Vm8dv1l +IQks3wtU4tI574rQKjmAiQyRnvLq0TJ4v/eHHKP4PkMC6FNFUyJx0OhVqZdqWJXz +ynT28JY5d1SsiPlhUDfSRKGjdpi4kC4szv7ceCuAwmWiDlsNqinKadu9bz4Rwudt +qlgJZRmtoFcyeReHckZmEwcmW9hPT3i98kjWs83vZqGD9bw7Zt05HfZ/TPyTk3tg +ec1Dmvhx4s9jprypuThPgs3W7KlgnvdpYdc2aagiU/dqvTArzVuWeLP0ryo269CD +ZWbgVrfFZjhvi+/nUJD+eMoVLsJYBhNZoJEv7NvUSWizVE4bfD4oFkAxEHBpXxVo +VKt5V6edVR0rdmI3xFkiP8372UPbYN8KUfa1R5y4GWPbORv/Z5Wb/XAVmGlvkHNj +U0bmAWv5XOw3CtwFJnRaATl/H5+WqQOVthxvT9EHvt8fHczAq8HvDHS7bIrFDEdN +gVRXzv6oTlBVGq6sP17H +=Jtlu -----END PGP SIGNATURE----- Added: head/share/security/patches/EN-15:19/kqueue.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-15:19/kqueue.patch Wed Nov 4 11:52:12 2015 (r47736) @@ -0,0 +1,21 @@ +--- sys/sys/vnode.h.orig ++++ sys/sys/vnode.h +@@ -787,7 +787,8 @@ + + #define VOP_WRITE_PRE(ap) \ + struct vattr va; \ +- int error, osize, ooffset, noffset; \ ++ int error; \ ++ off_t osize, ooffset, noffset; \ + \ + osize = ooffset = noffset = 0; \ + if (!VN_KNLIST_EMPTY((ap)->a_vp)) { \ +@@ -795,7 +796,7 @@ + if (error) \ + return (error); \ + ooffset = (ap)->a_uio->uio_offset; \ +- osize = va.va_size; \ ++ osize = (off_t)va.va_size; \ + } + + #define VOP_WRITE_POST(ap, ret) \ Added: head/share/security/patches/EN-15:19/kqueue.patch.asc ============================================================================== Binary file. No diff available. Added: head/share/security/patches/EN-15:20/vm.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-15:20/vm.patch Wed Nov 4 11:52:12 2015 (r47736) @@ -0,0 +1,30 @@ +--- sys/vm/vm_map.c.orig ++++ sys/vm/vm_map.c +@@ -3969,12 +3969,10 @@ + vm_map_unlock_read(map); + return (KERN_PROTECTION_FAILURE); + } +- if ((entry->eflags & MAP_ENTRY_USER_WIRED) && +- (entry->eflags & MAP_ENTRY_COW) && +- (fault_type & VM_PROT_WRITE)) { +- vm_map_unlock_read(map); +- return (KERN_PROTECTION_FAILURE); +- } ++ KASSERT((prot & VM_PROT_WRITE) == 0 || (entry->eflags & ++ (MAP_ENTRY_USER_WIRED | MAP_ENTRY_NEEDS_COPY)) != ++ (MAP_ENTRY_USER_WIRED | MAP_ENTRY_NEEDS_COPY), ++ ("entry %p flags %x", entry, entry->eflags)); + if ((fault_typea & VM_PROT_COPY) != 0 && + (entry->max_protection & VM_PROT_WRITE) == 0 && + (entry->eflags & MAP_ENTRY_COW) == 0) { +@@ -4128,10 +4126,6 @@ + fault_type &= VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE; + if ((fault_type & prot) != fault_type) + return (KERN_PROTECTION_FAILURE); +- if ((entry->eflags & MAP_ENTRY_USER_WIRED) && +- (entry->eflags & MAP_ENTRY_COW) && +- (fault_type & VM_PROT_WRITE)) +- return (KERN_PROTECTION_FAILURE); + + /* + * If this page is not pageable, we have to get it for all possible Added: head/share/security/patches/EN-15:20/vm.patch.asc ============================================================================== Binary file. No diff available. Added: head/share/security/patches/SA-15:25/ntp-101-inc.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:25/ntp-101-inc.patch Wed Nov 4 11:52:12 2015 (r47736) @@ -0,0 +1,11 @@ +--- usr.sbin/ntp/config.h.orig ++++ usr.sbin/ntp/config.h +@@ -120,7 +120,7 @@ + #define CLOCK_PST 1 + + /* DCF77 raw time code */ +-/* #undef CLOCK_RAWDCF */ ++#define CLOCK_RAWDCF 1 + + /* RCC 8000 clock */ + /* #undef CLOCK_RCC8000 */ Added: head/share/security/patches/SA-15:25/ntp-101-inc.patch.asc ============================================================================== Binary file. No diff available. Modified: head/share/security/patches/SA-15:25/ntp-101.patch.asc ============================================================================== Binary file (source and/or target). No diff available. Added: head/share/security/patches/SA-15:25/ntp-101.patch.xz ============================================================================== Binary file. No diff available. Added: head/share/security/patches/SA-15:25/ntp-102-inc.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:25/ntp-102-inc.patch Wed Nov 4 11:52:12 2015 (r47736) @@ -0,0 +1,11 @@ +--- usr.sbin/ntp/config.h.orig ++++ usr.sbin/ntp/config.h +@@ -120,7 +120,7 @@ + #define CLOCK_PST 1 + + /* DCF77 raw time code */ +-/* #undef CLOCK_RAWDCF */ ++#define CLOCK_RAWDCF 1 + + /* RCC 8000 clock */ + /* #undef CLOCK_RCC8000 */ Added: head/share/security/patches/SA-15:25/ntp-102-inc.patch.asc ============================================================================== Binary file. No diff available. Modified: head/share/security/patches/SA-15:25/ntp-102.patch.asc ============================================================================== Binary file (source and/or target). No diff available. Added: head/share/security/patches/SA-15:25/ntp-102.patch.xz ============================================================================== Binary file. No diff available. Added: head/share/security/patches/SA-15:25/ntp-93-inc.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:25/ntp-93-inc.patch Wed Nov 4 11:52:12 2015 (r47736) @@ -0,0 +1,37 @@ +--- usr.sbin/ntp/config.h.orig ++++ usr.sbin/ntp/config.h +@@ -120,7 +120,7 @@ + #define CLOCK_PST 1 + + /* DCF77 raw time code */ +-/* #undef CLOCK_RAWDCF */ ++#define CLOCK_RAWDCF 1 + + /* RCC 8000 clock */ + /* #undef CLOCK_RCC8000 */ +--- usr.sbin/ntp/ntpdc/Makefile.orig ++++ usr.sbin/ntp/ntpdc/Makefile +@@ -17,8 +17,8 @@ + -I${.CURDIR}/../../../lib/libc/${MACHINE_ARCH} \ + -I${.CURDIR}/../ -I${.CURDIR} + +-DPADD= ${LIBNTP} ${LIBM} ${LIBOPTS} ${LIBEDIT} ${LIBTERMCAP} +-LDADD= ${LIBNTP} -lm ${LIBOPTS} -ledit -ltermcap ++DPADD= ${LIBNTP} ${LIBM} ${LIBOPTS} ${LIBEDIT} ${LIBTERMCAP} ${LIBPTHREAD} ++LDADD= ${LIBNTP} -lm ${LIBOPTS} -ledit -ltermcap -lpthread + + CFLAGS+= -DHAVE_LIBEDIT -DHAVE_READLINE_READLINE_H \ + -I${DESTDIR}/${INCLUDEDIR}/edit +--- usr.sbin/ntp/ntpq/Makefile.orig ++++ usr.sbin/ntp/ntpq/Makefile +@@ -20,8 +20,8 @@ + -I${.CURDIR}/../../../contrib/ntp/sntp/libopts \ + -I${.CURDIR}/../ + +-DPADD= ${LIBEDIT} ${LIBNTP} ${LIBM} ${LIBOPTS} +-LDADD= -ledit ${LIBNTP} -lm ${LIBOPTS} ++DPADD= ${LIBEDIT} ${LIBNTP} ${LIBM} ${LIBOPTS} ${LIBPTHREAD} ++LDADD= -ledit ${LIBNTP} -lm ${LIBOPTS} -lpthread + + .if ${MK_OPENSSL} != "no" + DPADD+= ${LIBCRYPTO} Added: head/share/security/patches/SA-15:25/ntp-93-inc.patch.asc ============================================================================== Binary file. No diff available. Modified: head/share/security/patches/SA-15:25/ntp-93.patch.asc ============================================================================== Binary file (source and/or target). No diff available. Added: head/share/security/patches/SA-15:25/ntp-93.patch.xz ============================================================================== Binary file. No diff available. Modified: head/share/xml/notices.xml ============================================================================== --- head/share/xml/notices.xml Wed Nov 4 11:47:00 2015 (r47735) +++ head/share/xml/notices.xml Wed Nov 4 11:52:12 2015 (r47736) @@ -8,6 +8,22 @@ 2015 + 11 + + + 4 + + + FreeBSD-EN-15:20.vm + + + + FreeBSD-EN-15:19.kqueue + + + + + 9