Date: Tue, 6 Dec 2016 19:15:01 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r49711 - in head/share: security/advisories security/patches/EN-16:19 security/patches/EN-16:20 security/patches/EN-16:21 security/patches/SA-16:36 security/patches/SA-16:37 security/pa... Message-ID: <201612061915.uB6JF1Kb029635@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius (src committer) Date: Tue Dec 6 19:15:01 2016 New Revision: 49711 URL: https://svnweb.freebsd.org/changeset/doc/49711 Log: Document EN-16:19.tzcode, EN-16:20.tzdata, EN-16:21.localedef; SA-16:36.telnetd, SA-16:37.libc, SA-16:38.bhyve; Added: head/share/security/advisories/FreeBSD-EN-16:19.tzcode.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-16:20.tzdata.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-16:21.localedef.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:36.telnetd.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:37.libc.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:38.bhyve.asc (contents, props changed) head/share/security/patches/EN-16:19/ head/share/security/patches/EN-16:19/tzcode.patch (contents, props changed) head/share/security/patches/EN-16:19/tzcode.patch.asc (contents, props changed) head/share/security/patches/EN-16:20/ head/share/security/patches/EN-16:20/tzdata-10.1.patch (contents, props changed) head/share/security/patches/EN-16:20/tzdata-10.1.patch.asc (contents, props changed) head/share/security/patches/EN-16:20/tzdata-10.2.patch (contents, props changed) head/share/security/patches/EN-16:20/tzdata-10.2.patch.asc (contents, props changed) head/share/security/patches/EN-16:20/tzdata-10.3.patch (contents, props changed) head/share/security/patches/EN-16:20/tzdata-10.3.patch.asc (contents, props changed) head/share/security/patches/EN-16:20/tzdata-11.0.patch (contents, props changed) head/share/security/patches/EN-16:20/tzdata-11.0.patch.asc (contents, props changed) head/share/security/patches/EN-16:20/tzdata-9.3.patch (contents, props changed) head/share/security/patches/EN-16:20/tzdata-9.3.patch.asc (contents, props changed) head/share/security/patches/EN-16:21/ head/share/security/patches/EN-16:21/localedef.patch (contents, props changed) head/share/security/patches/EN-16:21/localedef.patch.asc (contents, props changed) head/share/security/patches/SA-16:36/ head/share/security/patches/SA-16:36/telnetd.patch (contents, props changed) head/share/security/patches/SA-16:36/telnetd.patch.asc (contents, props changed) head/share/security/patches/SA-16:37/ head/share/security/patches/SA-16:37/libc.patch (contents, props changed) head/share/security/patches/SA-16:37/libc.patch.asc (contents, props changed) head/share/security/patches/SA-16:38/ head/share/security/patches/SA-16:38/bhyve-10.patch (contents, props changed) head/share/security/patches/SA-16:38/bhyve-10.patch.asc (contents, props changed) head/share/security/patches/SA-16:38/bhyve.patch (contents, props changed) head/share/security/patches/SA-16:38/bhyve.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-16:19.tzcode.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-16:19.tzcode.asc Tue Dec 6 19:15:01 2016 (r49711) @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:19.tzcode Errata Notice + The FreeBSD Project + +Topic: Avoid warnings about valid time zone abbreviations + +Category: contrib +Module: tzcode +Announced: 2016-12-06 +Credits: Baptiste Daroussin +Affects: All supported versions of FreeBSD +Corrected: 2016-10-15 12:37:57 UTC (stable/11, 11.0-STABLE) + 2016-12-05 23:17:05 UTC (releng/11.0, 11.0-RELEASE-p4) + 2016-10-15 12:38:21 UTC (stable/10, 10.3-STABLE) + 2016-12-05 23:13:16 UTC (releng/10.3, 10.3-RELEASE-p13) + 2016-12-05 23:12:22 UTC (releng/10.2, 10.2-RELEASE-p26) + 2016-12-05 23:09:54 UTC (releng/10.1, 10.1-RELEASE-p43) + 2016-10-15 12:38:50 UTC (stable/9, 9.3-STABLE) + 2016-12-05 22:43:24 UTC (releng/9.3, 9.3-RELEASE-p51) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The zic(8) utility reads text from the file(s) named on the command line +and creates the time conversion information files specified in this input. + +The zdump(8) utility prints the current time in each zonename named on the +command line. + +II. Problem Description + +Until 2000, timezone abbreviations starting with ':', and could not contain +',', '-', '+', NUL, or a digit for POSIX compatibility. In 2001, the POSIX +compatibility rules changed, and timezone abbreviations can contain only +'-', '+', and alphanumeric characters from the portable character set in the +current locale. + +III. Impact + +This is needed to be able to update tzdata to a newer version. + +IV. Workaround + +No workaround is available, however systems configured to use Coordinated +Universal Time (UTC) are not affected. + +V. Solution + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-16:19/tzcode.patch +# fetch https://security.FreeBSD.org/patches/EN-16:19/tzcode.patch.asc +# gpg --verify tzcode.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r307360 +releng/9.3/ r309567 +stable/10/ r307359 +releng/10.1/ r309570 +releng/10.2/ r309571 +releng/10.3/ r309572 +stable/11/ r307358 +releng/11.0/ r309573 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:19.tzcode.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJYRw1nAAoJEO1n7NZdz2rnaowQAM/QDvH9LzIUfnydfZklBvPM +vCF0M6aDsGZNONQCik/ZdyICZ8lws/DcVKG4cz3Fth8XRI0GYsFQPO1m1AJICdVX +CH8bVmgFN0ajChezScYgXNG3qIlQKkeZK1dMaZwLkI02wtn9InqPW4vdecIUcegr +cLK8ppPTB51iWZp0HGXcURzCJRy444l6KhFwfPJdB0dzjrBRkQZXP4ewW1hVuZMK +/trACy5TzKahEzwbqtyNjC22Ou73rb39kH5XweGIx38WfyXeqh3mLwC1qny7PCcI +44V60ovwNyxzUHFFueriDeTeNp+rPkzn6MbjMbtJIhN4K3rO3ekw3KyR6lpZN0WI +VM9Lvz0+vuTHjDuJqte/yiztyexj+aol7xOMv0Ak/0JlXigFwsOVqx0zHn6cHUey +oB9cgNlmb8N51HRX0UiI6x/MJO5ZQm53LsD+YTr1y8iQDHtE2JJfnLj9v/rnFK/q +cPqwxD1vYWQa9rnImFMdI6Ahix3LvSNQLQybWYgSkq+AH5Nbsqfl3CbJdE5ry7Xn +bllPD5cbLTZVqA4hdGpptEAPFBiHgsExxPHswn1uvkMQEettVKb7hzNXkVF4p1GB +CSq80neXh2GyvyA+G07I/7uNmFqzthnGQRsI0PJAItazZnwGlnyGDDtF7okpOkYO +M70LiIMI27QIqMdiWfO5 +=68Rp +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-16:20.tzdata.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-16:20.tzdata.asc Tue Dec 6 19:15:01 2016 (r49711) @@ -0,0 +1,176 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:20.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2016-12-06 +Credits: Maxim Sobolev +Affects: All supported versions of FreeBSD +Corrected: 2016-11-04 17:55:50 UTC (stable/11, 11.0-STABLE) + 2016-12-06 00:06:16 UTC (releng/11.0, 11.0-RELEASE-p4) + 2016-11-04 17:55:50 UTC (stable/10, 10.3-STABLE) + 2016-12-05 23:30:13 UTC (releng/10.3, 10.3-RELEASE-p13) + 2016-12-05 23:26:06 UTC (releng/10.2, 10.2-RELEASE-p26) + 2016-12-05 23:23:13 UTC (releng/10.1, 10.1-RELEASE-p43) + 2016-11-04 17:55:50 UTC (stable/9, 9.3-STABLE) + 2016-12-05 23:02:02 UTC (releng/9.3, 9.3-RELEASE-p51) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The tzsetup(8) program allows the user to specify the default local +timezone. Based on the selected timezone, tzsetup(8) copies one of the +files from /usr/share/zoneinfo to /etc/localtime. This file actually +controls the conversion. + +II. Problem Description + +Several changes in Daylight Savings Time happened after previous +FreeBSD releases were released that would affect many people who +live in different countries. Because of these changes, the data in +the zoneinfo files need to be updated, and if the local timezone on +the running system is affected, tzsetup(8) needs to be run so the +/etc/localtime is updated. + +III. Impact + +An incorrect time will be displayed on a system configured to use one +of the affected timezones if the /usr/share/zoneinfo and /etc/localtime +files are not updated, and all applications on the system that rely on +the system time, such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated timezone database from +the misc/zoneinfo port and run tzsetup(8) to get the timezone database +corrected. + +Applications that store and display times in Coordinated Universal Time +(UTC) are not affected. + +V. Solution + +Please note that some third party software, for instance PHP, Ruby, +Java and Perl, may be using different zoneinfo data source, in such +cases these software has to be updated separately. For software +packages that is installed via package collection, they can be +upgraded by doing a `pkg upgrade'. + +Following the instructions in this Errata Notice will update all of +the zoneinfo files to be the same as what was released with FreeBSD +release. + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. Restart all the affected +applications and daemons, or reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.0] +# fetch https://security.FreeBSD.org/patches/EN-16:20/tzdata-11.0.patch +# fetch https://security.FreeBSD.org/patches/EN-16:20/tzdata-11.0.patch.asc +# gpg --verify tzdata-11.0.patch.asc + +[FreeBSD 10.3] +# fetch https://security.FreeBSD.org/patches/EN-16:20/tzdata-10.3.patch +# fetch https://security.FreeBSD.org/patches/EN-16:20/tzdata-10.3.patch.asc +# gpg --verify tzdata-10.3.patch.asc + +[FreeBSD 10.2] +# fetch https://security.FreeBSD.org/patches/EN-16:20/tzdata-10.2.patch +# fetch https://security.FreeBSD.org/patches/EN-16:20/tzdata-10.2.patch.asc +# gpg --verify tzdata-10.2.patch.asc + +[FreeBSD 10.1] +# fetch https://security.FreeBSD.org/patches/EN-16:20/tzdata-10.1.patch +# fetch https://security.FreeBSD.org/patches/EN-16:20/tzdata-10.1.patch.asc +# gpg --verify tzdata-10.1.patch.asc + +[FreeBSD 9.3] +# fetch https://security.FreeBSD.org/patches/EN-16:20/tzdata-9.3.patch +# fetch https://security.FreeBSD.org/patches/EN-16:20/tzdata-9.3.patch.asc +# gpg --verify tzdata-9.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r308302 +releng/9.3/ r309568 +stable/10/ r308302 +releng/10.1/ r309574 +releng/10.2/ r309576 +releng/10.3/ r309577 +stable/11/ r308302 +releng/11.0/ r309583 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:20.tzdata.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJYRw1qAAoJEO1n7NZdz2rnGCwQALsF2A+HnuJMUsbVUXfLCa92 +zzId31hBC039WwyAjsSeYO1GjKu/KRfsjV4yzJ9uArLBsx+wRRltMeuoMgl4P/z4 +huqh9huQJaRACPdgPoGfrPZItbKeo63sAOzMpBa0Z9TBaxN8NzTCAkcFt+iFM/Oi +eQaGH3JlfASFwIRN+CIlVhhUwfufsXf5KI5Vk2k3CmF88n5uQCUwybwckZYp2Cl5 +vHGJh5wkyh/pkZ3W4NljQdRXQYkosj27IIaAym4RCQnQgOlJYRxxEJWMw631EFRw +PIUgDfOcLKwG1e2V9XF0TnyKXvj7Uwt8lSUNyGUmfiBAdrWiSzfbL81+puKYzwOY +wisSNnEXpXBBhAMSVvWvt91o/Oe4HxJ7ZAT4w9FlUjbaJ3ahPh3phb9VPBXPuHhT +IJ+mWoEG3atQafJCPAwNmuIXh4V+Vo0UyimCrNBqWNOMqepyto93sdlYYcYhV/Bg +zhOWxbSObKPhoLrsaIKVRVVEvTeotDEZKNgKu6U+twaBv5JMnyUdlqQKfxYfmzAR +4N8YwFFSwrYiSVfGVBOM62AicSICNBxvzzb0xrvEw8c2KYbNv+MnE7/sQ/Wd/aR2 +t6PJIwYk7hAPSFmKLNf3ebYaTuybCyYWjYmzpplcRxBF9MuHxdd8bGuVvo/ZK1Jv +Lb0DmoBUk7O77KJxeqTI +=Pj/k +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-16:21.localedef.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-16:21.localedef.asc Tue Dec 6 19:15:01 2016 (r49711) @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:21.localedef Errata Notice + The FreeBSD Project + +Topic: Incorrectly defined unicode character(s) + +Category: core +Module: localedef +Announced: 2016-12-06 +Credits: +Affects: FreeBSD 11.0 +Corrected: 2016-11-05 09:46:48 UTC (stable/11, 11.0-STABLE) + 2016-12-06 00:09:52 UTC (releng/11.0, 11.0-RELEASE-p4) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The localedef(1) utility converts source definitions for locale categories +into a format usable by the functions and utilities whose operational +behavior is determined by the setting of the locale environment variables. + +II. Problem Description + +When compiling character class definitions, localedef(1) may incorrectly +coalesce non-consecutive ranges, so that unused codepoints located in a +gap between two ranges of characters belonging to a same class will be +included in that class. + +III. Impact + +Some Unicode codepoints that are reserved for later use may be reported as +valid by the ctype(3) / wctype(3) functions. Incorrect classification may +result in input validation errors. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all daemons that are running with unicode locale, or reboot the +system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-16:21/localedef.patch +# fetch https://security.FreeBSD.org/patches/EN-16:21/localedef.patch.asc +# gpg --verify localedef.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Note that rebuilding the localedef(1) utility only isn't enough to +fix already installed locales on your system. + +Restart all daemons that are running with unicode locale, or reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r308330 +releng/11.0/ r309584 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213013>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:21.localedef.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJYRw1tAAoJEO1n7NZdz2rn+l8QAKBNhMxJ4Gkqh/B8EwU0MR/v +flI0pOWEnxSyzGdMgL8KFng1YXCp77SlSp+uG5ASNBbJDroEVGQ2LcDQWEsr2QfE +I6a7xLNXx5l3ytiR50/eZRyIhWt7/aLzrtYvabJckvxkZCUZ8Itolvha7gu8HGk/ +Is5chXNQxOAYXOjJuiOY99o6oe9tXqGA+eKBkyjOyEUoYK0D402fkPaXvEajmYqD +ynS2N72zmyNp9ZT6d/UWwCPBr7VM9yXgx9cYhYBwxlYBfOeAAHIfjG6LULGyr+7Y +tDj+Q+1I1vEE3OtsnLeGFJw21sPZtnXVM4Dmly4OJoSngYrM+mb8DY96QGqAgRjh +5G4EqxIKUQQsoiCmqfFSy9zT2o0RHLjfCvMgBJS4jznijsY6YufodmG6P2Px+yMw +vW4PeCravUvCjMtJTfYDMoyxW1068m8JZk2X2ehDMCLh6gk8ytJn9z/E1TpEzEiM +5coP//KPmBQFrgYkSmj2FH1fuWCrU6Cw5JrWhATgw8+GLi5r42r44BQ5mj3rW8rz +5VVugAht06hR9jmkH8+c/OEOkhyrnU+Psvk9YfqN4yn5Etoa03taZw/L0UHRk0M1 +vb/krFMtbGBeh4XOH4N8YJ+jaO2pw1bLIBKpdGB6fSgyHuN5vNhi0eO3NOy7HSuh +hEh9Vaqvzd8mefLV653c +=XdaZ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:36.telnetd.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:36.telnetd.asc Tue Dec 6 19:15:01 2016 (r49711) @@ -0,0 +1,157 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:36.telnetd Security Advisory + The FreeBSD Project + +Topic: Possible login(1) argument injection in telnetd(8) + +Category: core +Module: telnetd +Announced: 2016-12-06 +Credits: Brooks Davis (sponsored by: DARPA, AFRL) +Affects: All supported versions of FreeBSD. +Corrected: 2016-12-06 18:52:02 UTC (stable/11, 11.0-STABLE) + 2016-12-06 18:49:38 UTC (releng/11.0, 11.0-RELEASE-p4) + 2016-12-06 18:52:18 UTC (stable/10, 10.3-STABLE) + 2016-12-06 18:49:48 UTC (releng/10.3, 10.3-RELEASE-p13) + 2016-12-06 18:49:54 UTC (releng/10.2, 10.2-RELEASE-p26) + 2016-12-06 18:49:59 UTC (releng/10.1, 10.1-RELEASE-p43) + 2016-12-06 18:52:33 UTC (stable/9, 9.3-STABLE) + 2016-12-06 18:50:06 UTC (releng/9.3, 9.3-RELEASE-p51) +CVE Name: CVE-2016-1888 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The FreeBSD telnet daemon, telnetd(8), implements the server side of the +TELNET virtual terminal protocol. It has been disabled by default in +FreeBSD since August 2001, and due to the lack of cryptographic security +in the TELNET protocol, it is strongly recommended that the SSH protocol +be used instead. The FreeBSD telnet daemon can be enabled via the +/etc/inetd.conf configuration file and the inetd(8) daemon. + +After a user is connected, telnetd executes the login(1) program or a +similar program specified by the -p <loginprog> argument. In order to do +so, it constructs an array of command line arguments which are passed to +execv(3). + +II. Problem Description + +An unexpected sequence of memory allocation failures combined with +insufficient error checking could result in the construction and +execution of an argument sequence that was not intended. + +III. Impact + +An attacker who controls the sequence of memory allocation failures and +success may cause login(1) to run without authentication and may be able +to cause misbehavior of login(1) replacements. + +No practical way of controlling these memory allocation failures is +known at this time. + +IV. Workaround + +No workaround is available, but systems not running the telnet daemon +are not vulnerable. + +Note that the telnet daemon is usually run via inetd, and consequently +will not show up in a process listing unless a connection is currently +active; to determine if it is enabled, run + +$ ps ax | grep telnetd | grep -v grep +$ grep telnetd /etc/inetd.conf | grep -vE '^#' + +If any output is produced, your system may be vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-16:36/telnetd.patch +# fetch https://security.FreeBSD.org/patches/SA-16:36/telnetd.patch.asc +# gpg --verify telnetd.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Kill any running telnetd processes, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r309643 +releng/9.3/ r309637 +stable/10/ r309642 +releng/10.1/ r309636 +releng/10.2/ r309635 +releng/10.3/ r309634 +stable/11/ r309641 +releng/11.0/ r309633 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1888>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:36.telnetd.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJYRw1uAAoJEO1n7NZdz2rnUC0P/3R7UoeNFknnYEXs25NnTS3h +oDZnGEbLloqQC4mAtPsC2v9WdSRh318J7UMOpko+uYlvxwsJe9TXRgUwP24atdtJ +a0Al8BvbmIHckIxG7cFJ6Xsw5NDXBgHo2JWBgdU2xvRafZYvFmjlGyxGrvg6Ok0s +LCz+cnOwni+J4R0CUHTb7eyoeW4HYsg5bVBnzmDwdqQTiig4PsIBVSu+VbOM8kTT +u7JCzxibzwm9TE0orxDBsY60//hbJRMm12SXj+tVJS3w+qK2iY+Aq02llyTqlGHd +Tpz4++d9UlS5QSPnu42ev/wzfPDZoxhbb5yciEUDSZA7vG5RD0pCfxfOf+8zORXA +PLp8XRrl76DJonULUjtNPo8xE3gFOztbUZyTFpxChXUPzZGp0oPRQgTIBTMEPejH +jC7O5ic0q7aA8UcQk5tqn6lNS6eK6z2UoKGYN4qCjTlC18s1u9dPwHzeSAzjg5YF +fHX0t/MB8zJ5ts0pUs6OTMOu6umrP4SUJF9hpACFG16vzjJ1S573tuPr9L4HMNCv +XTX9kjcFwmHqpbrFYW38Fk90x14TT3tigi+xYvCruS1XQeLQM48ThgYAdEboGJvT +8LGVI8rbwjaglrEk670RlnWVKQInqtPBmbV/GXL9AtE4zzsTHXDT/7iJ30pb4RJq +rA+cnK1Bog6FHCWGTxjF +=uYUg +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:37.libc.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:37.libc.asc Tue Dec 6 19:15:01 2016 (r49711) @@ -0,0 +1,139 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:37.libc Security Advisory + The FreeBSD Project + +Topic: link_ntoa(3) buffer overflow + +Category: core +Module: libc +Announced: 2016-12-06 +Affects: All supported versions of FreeBSD. +Corrected: 2016-12-06 18:53:21 UTC (stable/11, 11.0-STABLE) + 2016-12-06 18:49:38 UTC (releng/11.0, 11.0-RELEASE-p4) + 2016-12-06 18:53:46 UTC (stable/10, 10.3-STABLE) + 2016-12-06 18:49:48 UTC (releng/10.3, 10.3-RELEASE-p13) + 2016-12-06 18:49:54 UTC (releng/10.2, 10.2-RELEASE-p26) + 2016-12-06 18:49:59 UTC (releng/10.1, 10.1-RELEASE-p43) + 2016-12-06 18:54:04 UTC (stable/9, 9.3-STABLE) + 2016-12-06 18:50:06 UTC (releng/9.3, 9.3-RELEASE-p51) +CVE Name: CVE-2016-6559 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The link_ntoa(3) function generates ASCII representation of a link-level +address and is avaliable as part of standard C library (libc). + +II. Problem Description + +A specially crafted argument can trigger a static buffer overflow in the +library, with possibility to rewrite following static buffers that belong to +other library functions. + +III. Impact + +Due to very limited use of the function in the existing applications, +and limited length of the overflow, exploitation of the vulnerability +does not seem feasible. None of the utilities and daemons in the base +system are known to be vulnerable. However, careful review of third +party software that may use the function was not performed. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all daemons that use the library, or reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-16:37/libc.patch +# fetch https://security.FreeBSD.org/patches/SA-16:37/libc.patch.asc +# gpg --verify libc.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r309646 +releng/9.3/ r309637 +stable/10/ r309645 +releng/10.1/ r309636 +releng/10.2/ r309635 +releng/10.3/ r309634 +stable/11/ r309644 +releng/11.0/ r309633 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:http://www.kb.cert.org/vuls/id/548487>; +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6559>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:37.libc.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJYRw1vAAoJEO1n7NZdz2rnk5sP/18NuTRoit3jfa1uHCYMyTOB +vOGtNtn5xs8NNY4wAdYx2cF3CscTZEWyQtXWsMWzXgbWI0KrWteacGDaDlFwraCu +9/TJmkCQC5FCfYsgQFOpOPtMl9W+gY2ZrmEPXsfc/smjvIas3fPCBjnoRM2qQlfc +25YIut+S6OFhm2XM42t/jljbLs6b/PJikeKt7kEEEjKKXWHNwLEYjbtEyelKxD1i +1IBVe4Run2RajERg99yCznAGGvRo2hbGmnV59kDAilanJK+s3pzCOBFdnKyZd/2l +Ie8B/fKEXRJyFgJF7A9eSuElTV5fCFfX05AC3PXMoi+GsVPQqhEpNb1FvJoANiFL +l61nbqkM5KEteIWvf1udHZo6kjhYY4YlvutXW7o41XaUhnaO3dC+4+VpfTycH/no +j8kVFS1Y9oun31TTZ/+aQqnCfozAMKFaZtrZI3UkSR1kjz5Z5Rqrc4isBhXXP1dQ +QC87THCyW2D1+E0LvMyJEWKtjGMd8OO5KZjvTxcmxDSrqEOn+yGT1Lp8G/NLuQ4D +zcarPPl2eE0bikvL/T/k7OdpplTDXoaCOHiMIr02WpbJwipw6HD4FZrg1IQu/Db9 +2cHihr/tS1mbr7k/VKUyIZvQQhZ9j72m4wwBk0CFEG8DeZtMeSum1xgLTEjUerHe +rWrKG2feWv//R0BvVNhu +=8y53 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:38.bhyve.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:38.bhyve.asc Tue Dec 6 19:15:01 2016 (r49711) @@ -0,0 +1,143 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:38.bhyve Security Advisory + The FreeBSD Project + +Topic: bhyve(8) virtual machine escape + +Category: core +Module: bhyve +Announced: 2016-12-06 +Credits: Felix Wilhelm +Affects: FreeBSD 10.x, FreeBSD 11.0 +Corrected: 2016-12-06 18:54:43 UTC (stable/11, 11.0-STABLE) + 2016-12-06 18:49:38 UTC (releng/11.0, 11.0-RELEASE-p4) + 2016-12-06 18:55:01 UTC (stable/10, 10.3-STABLE) + 2016-12-06 18:49:48 UTC (releng/10.3, 10.3-RELEASE-p13) + 2016-12-06 18:49:54 UTC (releng/10.2, 10.2-RELEASE-p26) + 2016-12-06 18:49:59 UTC (releng/10.1, 10.1-RELEASE-p43) +CVE Name: CVE-2016-1889 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +bhyve(8) is a hypervisor that supports running a variety of virtual +machines (guests). + +II. Problem Description + +The bounds checking of accesses to guest memory greater than 4GB by +device emulations is subject to integer overflow. + +III. Impact + +For a bhyve virtual machine with more than 3GB of guest memory configured, +a malicious guest could craft device descriptors that could give it access +to the heap of the bhyve process. Since the bhyve process is running as root, +this may allow guests to obtain full control of the hosts they're running on. + +IV. Workaround + +No workaround is available, however, systems not using bhyve(8) for +virtualization are not vulnerable. Additionally, systems using bhyve(8) with +3GB or less of configured guest memory are not vulnerable. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +No reboot is needed. Rather the bhyve(8) process for vulnerable virtual +machines should be restarted. + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 +platform can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.0, FreeBSD 10.3] +# fetch https://security.FreeBSD.org/patches/SA-16:38/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-16:38/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +[FreeBSD 10.2, FreeBSD 10.1] +# fetch https://security.FreeBSD.org/patches/SA-16:38/bhyve-10.patch +# fetch https://security.FreeBSD.org/patches/SA-16:38/bhyve-10.patch.asc +# gpg --verify bhyve-10.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r309648 +releng/10.1/ r309636 +releng/10.2/ r309635 +releng/10.3/ r309634 +stable/11/ r309647 +releng/11.0/ r309633 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1889>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:38.bhyve.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJYRw1wAAoJEO1n7NZdz2rnepoP/1b6uXh8BFW8Qi9cVyfUkldC +aRfAdmE3azyJCwTY2cipIA+qp9SJUxnLf1lPicERIPZY6iiC6Zm1Qi+cfwCvgczu +ksY9aYOM7/v1jKuUrPf7tJZ5OokRzkL8W2uCKqAn2BODBK1mA4yy8yGthgyCT6bH +JzvINPnlQzJKHCdp/8goRVITxa+kMF7UBbpPDAkHuBNKKNRLOYb50Z9G7BZp9/u6 +/Y8avPVCOnU7WKDehG6FgyfE0Z+pUw6dAgpYNblsdQc148xGCSoHyHjXIX1jHzCv +ZChUhj+6m7CQkjh/GG6x1Bz1lCcsIgsnPAAuQC0WqsaQRnUWJXjTyPMHwkxIHlD7 +sFGPdM4RdMI0O95xMm9Dy05baNsAtBr6DExd48jFv/qbUio9FhUNUJ5rfQEAnyp2 +aAZL34rd90KPFn5zp8EhskOPWGJp7lr+5FpV1m85R07qRES9875eWWYUW5H+yZK+ +kwUcRKiYyvAFTx7Ag38pCtH4SVZ4zRV0mBZnOvchNosMSJz+tZYxApaXHY/nBJck +wCr+v4DlB9x4LKt9CnB1ow+YqVsMuPyXwyj4e9Pyw/zkvW1aA/TJeUonmm1c2vI4 +07b64wnTsvLGgbhN2ei8LPtAEwpN/DBn7D098Zwf4CfCGQ2VZQeC5AjyTSX9bvy/ +WnKlRTDLDrFSpAD/1/Dz +=ts3q +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-16:19/tzcode.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:19/tzcode.patch Tue Dec 6 19:15:01 2016 (r49711) @@ -0,0 +1,70 @@ +--- contrib/tzcode/zic/zdump.c.orig ++++ contrib/tzcode/zic/zdump.c +@@ -212,24 +212,16 @@ + return; + cp = abbrp; + wp = NULL; +- while (isascii((unsigned char) *cp) && isalpha((unsigned char) *cp)) ++ while (isascii((unsigned char) *cp) && ++ (isalnum((unsigned char)*cp) || *cp == '-' || *cp == '+')) + ++cp; +- if (cp - abbrp == 0) +- wp = _("lacks alphabetic at start"); +- else if (cp - abbrp < 3) +- wp = _("has fewer than 3 alphabetics"); ++ if (cp - abbrp < 3) ++ wp = _("has fewer than 3 characters"); + else if (cp - abbrp > 6) +- wp = _("has more than 6 alphabetics"); +- if (wp == NULL && (*cp == '+' || *cp == '-')) { +- ++cp; +- if (isascii((unsigned char) *cp) && +- isdigit((unsigned char) *cp)) +- if (*cp++ == '1' && *cp >= '0' && *cp <= '4') +- ++cp; +- if (*cp != '\0') +- wp = _("differs from POSIX standard"); +- } +- if (wp == NULL) ++ wp = _("has more than 6 characters"); ++ else if (*cp) ++ wp = "has characters other than ASCII alphanumerics, '-' or '+'"; ++ else + return; + (void) fflush(stdout); + (void) fprintf(stderr, +--- contrib/tzcode/zic/zic.c.orig ++++ contrib/tzcode/zic/zic.c +@@ -2615,29 +2615,15 @@ + register const char * cp; + register char * wp; + +- /* +- ** Want one to ZIC_MAX_ABBR_LEN_WO_WARN alphabetics +- ** optionally followed by a + or - and a number from 1 to 14. +- */ + cp = string; + wp = NULL; + while (isascii((unsigned char) *cp) && +- isalpha((unsigned char) *cp)) ++ (isalnum((unsigned char)*cp) || *cp == '-' || *cp == '+')) + ++cp; +- if (cp - string == 0) +-wp = _("time zone abbreviation lacks alphabetic at start"); + if (noise && cp - string > 3) +-wp = _("time zone abbreviation has more than 3 alphabetics"); ++wp = _("time zone abbreviation has more than 3 characters"); + if (cp - string > ZIC_MAX_ABBR_LEN_WO_WARN) +-wp = _("time zone abbreviation has too many alphabetics"); +- if (wp == NULL && (*cp == '+' || *cp == '-')) { +- ++cp; +- if (isascii((unsigned char) *cp) && +- isdigit((unsigned char) *cp)) +- if (*cp++ == '1' && +- *cp >= '0' && *cp <= '4') +- ++cp; +- } ++wp = _("time zone abbreviation has too many characters"); + if (*cp != '\0') + wp = _("time zone abbreviation differs from POSIX standard"); + if (wp != NULL) { Added: head/share/security/patches/EN-16:19/tzcode.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:19/tzcode.patch.asc Tue Dec 6 19:15:01 2016 (r49711) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJYRw1pAAoJEO1n7NZdz2rn52EP/itjGSb9xqDAmCNvcNxFgPvJ +fBZ+bBre8eh908lmMbnLJvXRmz/wTxljqmt+6dHwsoAPDo+FGLudZyWTrA2dqTZm +fPu8GBTtFlynmwAqXjNePTk+Z4EcqkY1ZwyNuJuOVtnsOpqTb9gTRDlNyrVwcz19 +IlUUJuylCC7hf7v51nheVXY799EywUYznKqPfsfTp0qRxQfwvi1dku1nbCc/dR+/ +qjLhFzl58yjiprpnWxUsU+SJKie2svsM9UEg62aZgs7ZWXZ2RP7QP4rSrwJSf5x1 +6NI7PUM17HqQK1peG8pwwoeeKjP7r1kbFY5udGHY/KWrtLg/0U2erENScUvv8RkJ +8Dl8FMdWUpoWd3/Xs/W82b0r0sEVDS65JPZJNYy2iMegZUHji6+y1i4UUywhXtoj +5GU0p1voD8g+6JmP90NC7w2mg7UgYvBovW9osKH5s01CntG+XmWoQLwCCHWJwK9G +Uan949xMT5VoaUn9UyXhLQ9xAD5mUTkNRy8JFbUjblBR6Rrk1mdHdhZq6I3pQ/3i +QSsH44cyrVLCZ3j0AeITPZDtvN8Iw34D8yM0uTenRXWTRdzQEEFBoxwl7QBGD3I6 +Og9lZJ5J53GCx37vyMmyb+FHaMjZnWFBMUDnrNfK0eImlEXjSH797Iz7JAlDEv2e +jSrQ0ZFzbbUgMN9f1xxj +=DGoh +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-16:20/tzdata-10.1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:20/tzdata-10.1.patch Tue Dec 6 19:15:01 2016 (r49711) @@ -0,0 +1,15859 @@ +--- contrib/tzdata/CONTRIBUTING.orig ++++ contrib/tzdata/CONTRIBUTING +@@ -0,0 +1,73 @@ ++Contributing to the tz code and data ++ ++The time zone database is by no means authoritative: governments ++change timekeeping rules erratically and sometimes with little *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612061915.uB6JF1Kb029635>