Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 16 Mar 2016 23:10:13 +0000 (UTC)
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org
Subject:   svn commit: r48424 - in head/share: security/advisories security/patches/EN-16:04 security/patches/EN-16:05 security/patches/SA-16:14 security/patches/SA-16:15 xml
Message-ID:  <201603162310.u2GNADiH055508@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: glebius (src committer)
Date: Wed Mar 16 23:10:13 2016
New Revision: 48424
URL: https://svnweb.freebsd.org/changeset/doc/48424

Log:
  Document today updates:
  
  FreeBSD-16:04.hyperv
  FreeBSD-16:05.hv_netvsc
  FreeBSD-SA-16:14.openssh
  FreeBSD-SA-16:15.sysarch

Added:
  head/share/security/advisories/FreeBSD-16:04.hyperv.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-16:14.openssh.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc   (contents, props changed)
  head/share/security/patches/EN-16:04/
  head/share/security/patches/EN-16:04/hyperv.patch   (contents, props changed)
  head/share/security/patches/EN-16:04/hyperv.patch.asc   (contents, props changed)
  head/share/security/patches/EN-16:05/
  head/share/security/patches/EN-16:05/hv_netvsc.patch   (contents, props changed)
  head/share/security/patches/EN-16:05/hv_netvsc.patch.asc   (contents, props changed)
  head/share/security/patches/SA-16:14/
  head/share/security/patches/SA-16:14/openssh-xauth.patch   (contents, props changed)
  head/share/security/patches/SA-16:14/openssh-xauth.patch.asc   (contents, props changed)
  head/share/security/patches/SA-16:15/
  head/share/security/patches/SA-16:15/sysarch.patch   (contents, props changed)
  head/share/security/patches/SA-16:15/sysarch.patch.asc   (contents, props changed)
Modified:
  head/share/xml/advisories.xml
  head/share/xml/notices.xml

Added: head/share/security/advisories/FreeBSD-16:04.hyperv.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-16:04.hyperv.asc	Wed Mar 16 23:10:13 2016	(r48424)
@@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:04.hyperv                                         Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Hyper-V KVP (Key-Value Pair) daemon indefinite sleep
+
+Category:       core
+Module:         hyperv
+Announced:      2016-03-16
+Credits:        Microsoft Open Source Technology Center(OSTC)
+Affects:        FreeBSD 10.x
+Corrected:      2015-12-18 14:52:12 UTC (stable/10, 10.2-STABLE)
+                2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
+                2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Hyper-V is a native hypervisor running on Windows operating system. It can
+run FreeBSD 10.x as guest in virtual machine.
+
+Data Exchange is an integration service, also known as a key-value pair or  
+KVP, that can be used to share information between virtual machines and the
+Hyper-V host.  For more information, see
+<URL:https://technet.microsoft.com/en-us/library/dn798287.aspx>.
+
+II.  Problem Description
+
+The KVP driver code doesn't implement the KVP device's .d_poll callback
+correctly: when there is no data available to the user-mode KVP daemon, the
+driver forgets to remember the daemon and wake up the daemon later.  As a
+result, the daemon can't be woken up in a predictable period of time, and
+the host side's KVP query can hang for an unexpected period of time and get
+timeout, and finally the host can think the VM is irresponsive or unhealthy.
+
+III. Impact
+
+When a FreeBSD 10.x virtual machine runs on Hyper-V, the host may not get the
+expected response of a KVP query. When a virtual machine runs on Azure, the
+host may try to recover the "irresponsive" virtual machine by killing it and
+starting it later, causing unnecessary virtual machine downtime.
+
+IV.  Workaround
+
+Don't run the KVP daemon on a virtual machine.  With this, the host will know
+that KVP functionality is not working at all, so the host won't try to send KVP
+query to virtual machine.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  Reboot is required.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Reboot is required.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:04/hyperv.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:04/hyperv.patch.asc
+# gpg --verify hyperv.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r292438
+releng/10.1/                                                      r296954
+releng/10.2/                                                      r296955
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;
+
+VII. References
+
+<URL:https://technet.microsoft.com/en-us/library/dn798287.aspx>.
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:04.hyperv.asc>;
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJW6eQmAAoJEO1n7NZdz2rnq+sQAOOnGB826xMwM5xW7a2rnOKV
+SDPzC0XXkHhRltJWSaIBi+nhKusMQcuYEaZDG8P5pvugpJfBPDhv2THu9ofEhvB4
+88iT4sFOKi20iXJxrZQM5UT9tPaDoWUCQ9isr4HseotF5Hda4onplGK3/VXq3xGF
+tGjgOfnHbhQbXAf7JZwCfjUeIyYYY2VGBscSwDF/AS0Z9vUEudNKnPEZcC5V19LJ
+8vZHjknNpchklnaT0UFZwrpFEgpmSU5rtYlH6FbfWYbspqRjEk1Ia2wkasB9im2z
+v2vc+qNOqgOMATgatix0yqzXnBkOqi+5ra0MUipXG89l3Yxvekv0mvqQFYRWN7MN
+fjPOnP9i2hjoKbbPEArEmYffOFMjxrOTgzLYVxXntOTUFMgGcUXltgjlo/Ov4Fm0
+CfDIDUBlyPlDkemPYiaRinyLim4M3TOll2M6ucnonFuE//sLfU/DEnlz8pf+yJg3
+jeJ7Pi6YKe+YUrTj2kL8shoPWjg00oHCIZua9nFhdHwNURX5XuoPlf84qxeSmumL
+lbQ8Dq82zkECJmJe7fGshUyPGlXqN+ValGYtZkuQwS/vq1cxRomvO1naZQDqJuVA
+Z15SW63CnsFIYJvK0Dd0v0i3Nw0WYHRRJ5nFo18WIzHs2FZguib1wqiN6D1oRnrH
+0YgK0KZFzwWufB7YB0TG
+=4BjO
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc	Wed Mar 16 23:10:13 2016	(r48424)
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:05.hv_netvsc                                      Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          hv_netvsc(4) incorrect TCP/IP checksums
+
+Category:       core
+Module:         hyperv
+Announced:      2016-03-16
+Credits:        Larry Baird
+Affects:        FreeBSD 10.2
+Corrected:      2015-12-18 14:56:49 UTC (stable/10, 10.2-STABLE)
+                2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Hyper-V is a native hypervisor running on Windows operating system. It can
+run FreeBSD 10.x as guest in virtual machine.
+
+When FreeBSD guest runs on Hyper-V, to get the best network performance,
+it usually uses the Hyper-V synthetic network device.  The driver of the
+network device is called hv_netvsc(4).  Since FreeBSD 10.2-RELEASE the
+driver supports TCP segmentation and TCP/IP checksum offloading.
+
+II.  Problem Description
+
+Together with the TCP segmentation and TCP/IP checksum offloading a regression
+was introduced.  The driver checked the inbound checksum flags when deciding
+whether to process checksums or not, while it should have checked the outbound
+flags only.
+
+III. Impact
+
+If the guest running on Hyper-V is configured as a gateway, the host will
+silently drop certain packets from the guest.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  Reboot is required.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Reboot is required.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:05/hv_netvsc.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:05/hv_netvsc.patch.asc
+# gpg --verify hv_netvsc.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r292439
+releng/10.2/                                                      r296955
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203630>;
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:05.hv_netvsc.asc>;
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJW6eQyAAoJEO1n7NZdz2rnOdQQANX3NYcoY1uMJEJcOMgfKp52
+OUKUriPdJjEr94Yq/QSGaIp5WyZ5O/hu89LI45DlJMHGxQYJrpQuM1Cyf2QS770u
+yrmfTkcJpqmwJpr4pOqQuYUHuAXkUsOeOysOO/2ccP7USFWqdWbgLotbq3JAFwIz
+cnPwteAawZ3BZLaDRXgsr9Hhqn5d++YIsYC3mhyGNJJI6LlNG/ihba2Vd8lDu9hv
+UVv0WW8yfv851jEv/vhCQmhHcHcIAhzZGLn47Shi4s0833icvPeU+Xc/cpL/wifX
+vCPKA53DqdsNCsPQbbfzgCgoxV1iC3zb/4EOUAIpCInS00N4YQeQiJePH7Im56rc
+y6LsccIf1otr8xCuRuWsUVXuzrmtDBKDzE2gwMx+YHAEWl7ObhgM1VYYWoYnwBlr
+g+M2Wynjcj/rSZUpBdtUFFDNhqFlvrFSXDUEl0MbK4IzwtyOQtQfnCjy6kTqr2yB
+czWonmU9tgLtaqkN61b5pBx+jR2oEC4M8HPHuA2LmEKLJrgfePHBIAZ7cPnWaZ4O
+L4uP97MPmZEQggQeED5SLTMl3jJUe52H9XDkN8RV8/P3oA/YXBD4prhg4fYvNKQT
+VR0pWvlnJNmjaupCBWOfJfG1S8+oOfoTNV5/Fq83LVLW0DPKHVmLtQfS5Rs02745
+VnvCDT/XPOCODW1KdsSc
+=vkxR
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-16:14.openssh.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-16:14.openssh.asc	Wed Mar 16 23:10:13 2016	(r48424)
@@ -0,0 +1,153 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-16:14.openssh                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          OpenSSH xauth(1) command injection
+Category:       contrib
+Module:         OpenSSH
+Announced:      2016-03-16
+Credits:        
+Affects:        All supported versions of FreeBSD.
+Corrected:      2016-03-12 23:53:20 UTC (stable/10, 10.2-STABLE)
+                2016-03-14 13:05:13 UTC (releng/10.3, 10.3-RC2)
+                2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
+                2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31)
+                2016-03-13 23:50:19 UTC (stable/9, 9.3-STABLE)
+                2016-03-16 22:30:03 UTC (releng/9.3, 9.3-RELEASE-p39)
+CVE Name:       CVE-2016-3115
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services,
+including remote shell access.  OpenSSH supports X11 forwarding,
+allowing X11 applications on the server to connect to the client's
+display.
+
+When an X11 forwarding session is established, the OpenSSH daemon runs
+the xauth tool with information provided by the client to create an
+authority file on the server containing information that applications
+need in order to connect to the client's X11 display.
+
+II.  Problem Description
+
+Due to insufficient input validation in OpenSSH, a client which has
+permission to establish X11 forwarding sessions to a server can
+piggyback arbitrary shell commands on the data intended to be passed
+to the xauth tool.
+
+III. Impact
+
+An attacker with valid credentials and permission to establish X11
+forwarding sessions can bypass other restrictions which may have been
+placed on their account, for instance using ForceCommand directives in
+the server's configuration file.
+
+IV.  Workaround
+
+Disable X11 forwarding globally by adding the following line to
+/etc/ssh/sshd_config, before any Match blocks:
+
+  X11Forwarding no
+
+then either restart the OpenSSH daemon or reboot the system.
+
+Consult the sshd(8) and sshd_config(5) manual pages for additional
+information on how to enable or disable X11 forwarding on a per-user
+or per-key basis.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+then either restart the OpenSSH daemon or reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# service sshd restart
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/SA-16:14/openssh-xauth.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:14/openssh-xauth.patch.asc
+# gpg --verify openssh-xauth.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+d) Either restart the OpenSSH daemon or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r296780
+releng/9.3/                                                       r296953
+stable/10/                                                        r296781
+releng/10.1/                                                      r296954
+releng/10.2/                                                      r296955
+releng/10.3/                                                      r296853
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;
+
+VII. References
+
+<URL:http://www.openssh.com/txt/x11fwd.adv>;
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3115>;
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:14.openssh.asc>;
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJW6ePuAAoJEO1n7NZdz2rncF0QAOu5DtldNmqgqr7iwdCguoiB
+wTYAenLBBhbj4SoMeqhGd9p6RfoKtgsjt1Pbw/4XXJOIsgvFezm4GvDHWrHCqp14
+3DIJWTxcXcDkRvnqiqUJSDszeM7BYu7G+q8VXEGl0ObMBWfgfsP42jnemx81bI4e
+W4Y5/idRvE+6yn7ja3qnNFEB8NfBZOYBV27+tTBiKaZgOt52yWQiFuVIE0WDYS/f
+I7Pc5DzMAU5l4bEPRYlniuVKOaGY+JYjbuVW/4af9MU6JYmK3HATtNcAuDi2SsSo
+SIpbJeILtyXTi72LClT/Px1GsQi/OIjiE2/7DOtNODyjPnQlRIoHveaaYBZ+WUks
+A0hEgaxdDLU+SUHcJKmbdu65eCQtrkdS0vquGnlqd2Q1fqQwwE4U1A2tEgbsGZ6R
+fikKBHISZYwhGMkIijy0ImDAD/SzO5UrIsgePM+9PoeGqLRZXKVNCtxaKpA9tO80
+J9MAbLsi7jgzncCGliL6x3m/w6xsJWP//NtyZVF74ydMEh8IuW4n8yrlrZN5cWJa
+2rySvewHvdXwlClFzMrAxwRPEo845xmsIvODMpaZplXaIzqNN46WfkBsPZTBkYR4
+xF/YNQkLSjYpbrv9GLfJtDn2+ny5OYkJ/pWhaiN0r7oeBjnbXLz9Y/4sS1rFyIMR
+OYy+uH7vcQ7RLXfVgahv
+=RZqF
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc	Wed Mar 16 23:10:13 2016	(r48424)
@@ -0,0 +1,141 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-16:15.sysarch                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Incorrect argument validation in sysarch(2)
+
+Category:       core
+Module:         kernel
+Announced:      2016-03-16
+Credits:        Core Security
+Affects:        All supported versions of FreeBSD.
+Corrected:      2016-03-16 22:35:55 UTC (stable/10, 10.2-STABLE)
+                2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
+                2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31)
+                2016-03-16 22:36:02 UTC (stable/9, 9.3-STABLE)
+                2016-03-16 22:30:03 UTC (releng/9.3, 9.3-RELEASE-p39)
+CVE Name:       CVE-2016-1885
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The IA-32 architecture allows programs to define segments, which provides
+based and size-limited view into the program address space.  The
+memory-resident processor structure, called Local Descriptor Table,
+usually abbreviated LDT, contains definitions of the segments.  Since
+incorrect or malicious segments would breach system integrity, operating
+systems do not provide processes direct access to the LDT, instead
+they provide system calls which allow controlled installation and removal 
+of segments.
+
+II.  Problem Description
+
+A special combination of sysarch(2) arguments, specify a request to
+uninstall a set of descriptors from the LDT.  The start descriptor
+is cleared and the number of descriptors are provided.  Due to invalid
+use of a signed intermediate value in the bounds checking during argument
+validity verification, unbound zero'ing of the process LDT and adjacent
+memory can be initiated from usermode.
+
+III. Impact
+
+This vulnerability could cause the kernel to panic. In addition it is
+possible to perform a local Denial of Service against the system by
+unprivileged processes. 
+
+IV.  Workaround
+
+No workaround is available, but only the amd64 architecture is affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Reboot is required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD platforms can be updated
+via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Reboot is required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc
+# gpg --verify sysarch.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r296958
+releng/9.3/                                                       r296953
+stable/10/                                                        r296957
+releng/10.1/                                                      r296954
+releng/10.2/                                                      r296955
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1885>;
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:15.sysarch.asc>;
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJW6eO/AAoJEO1n7NZdz2rn0UMP/iU/orN0P6+Rsj9hY2B6M0VS
+H6CMMVvketkIIWl9oKX9D/G0g/HyD8uFy06qL2OBz+h99h1oaF5ELl4G6TkF69Ra
+yOKrLcWnyi3eWLUaPvGkrLakVpG0+pU3QRvBT+d0nsTarOMPq+nhooarMfAluF3p
+c3bXEjzn/lTA5T0zTcGS2o9IgORvYrKRIGW0KJDsCWsDgVyWngsJAJdIrzwx022Q
+ENoIGmgLnYsx7TY1cuMtdb3TVyJsZv8zjrrmcLzw67Vly7wShs22CKK23ydDDyy9
+xFYsbWA+X8CarV2uSk8xJCIbWjJSlfc9XvOlHLZEiT7PNCZIk2c2fNLENxHvyNl1
+vgIUBoD/wzzS5QqdnT4r726aQt3pNezns1NDxujwUovVn5nQaXnKOTJHsOthDJ99
+PakEMa93iZqOfzbVouBIBH1IPgNLHof9Jdq3wYiKhrQVJXRespdpCfh3/wdph9LB
+ElBOTlrCcShV+N6deO4KI2wNK5h704D4hOMsqlInLwGQmGi7qa4ouWASgzQQmU/8
+6va3mJsgCvzHUpRCMQo7pIZm6SnOIYLdg7S4vV7P6q5oOIBnjFa8bK/Cq+zOR42e
+gJs9ou65JTTC0KG+26wXaD2Wx8uriO/+ZfCT/YM29FUUqIdayqHxhACjF0lkY83P
+02CAQXURVoI7kbjHaGT7
+=jV9z
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/EN-16:04/hyperv.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-16:04/hyperv.patch	Wed Mar 16 23:10:13 2016	(r48424)
@@ -0,0 +1,48 @@
+--- sys/dev/hyperv/utilities/hv_kvp.c.orig
++++ sys/dev/hyperv/utilities/hv_kvp.c
+@@ -44,6 +44,7 @@
+ #include <sys/reboot.h>
+ #include <sys/lock.h>
+ #include <sys/taskqueue.h>
++#include <sys/selinfo.h>
+ #include <sys/sysctl.h>
+ #include <sys/poll.h>
+ #include <sys/proc.h>
+@@ -114,6 +115,8 @@
+ static struct hv_kvp_msg *hv_kvp_dev_buf;
+ struct proc *daemon_task;
+ 
++static struct selinfo hv_kvp_selinfo;
++
+ /*
+  * Global state to track and synchronize multiple
+  * KVP transaction requests from the host.
+@@ -628,6 +631,9 @@
+ 
+ 	/* Send the msg to user via function deamon_read - setting sema */
+ 	sema_post(&kvp_globals.dev_sema);
++
++	/* We should wake up the daemon, in case it's doing poll() */
++	selwakeup(&hv_kvp_selinfo);
+ }
+ 
+ 
+@@ -940,7 +946,7 @@
+  * for daemon to read.
+  */
+ static int
+-hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td  __unused)
++hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td)
+ {
+ 	int revents = 0;
+ 
+@@ -953,6 +959,9 @@
+ 	 */
+ 	if (kvp_globals.daemon_busy == true)
+ 		revents = POLLIN;
++	else
++		selrecord(td, &hv_kvp_selinfo);
++
+ 	mtx_unlock(&kvp_globals.pending_mutex);
+ 
+ 	return (revents);

Added: head/share/security/patches/EN-16:04/hyperv.patch.asc
==============================================================================
Binary file. No diff available.

Added: head/share/security/patches/EN-16:05/hv_netvsc.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-16:05/hv_netvsc.patch	Wed Mar 16 23:10:13 2016	(r48424)
@@ -0,0 +1,28 @@
+--- sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c.orig
++++ sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c
+@@ -128,6 +128,15 @@
+ #define HV_NV_SC_PTR_OFFSET_IN_BUF         0
+ #define HV_NV_PACKET_OFFSET_IN_BUF         16
+ 
++/*
++ * A unified flag for all outbound check sum flags is useful,
++ * and it helps avoiding unnecessary check sum calculation in
++ * network forwarding scenario.
++ */
++#define HV_CSUM_FOR_OUTBOUND						\
++    (CSUM_IP|CSUM_IP_UDP|CSUM_IP_TCP|CSUM_IP_SCTP|CSUM_IP_TSO|		\
++    CSUM_IP_ISCSI|CSUM_IP6_UDP|CSUM_IP6_TCP|CSUM_IP6_SCTP|		\
++    CSUM_IP6_TSO|CSUM_IP6_ISCSI)
+ 
+ /*
+  * Data types
+@@ -570,7 +579,8 @@
+ 			    packet->vlan_tci & 0xfff;
+ 		}
+ 
+-		if (0 == m_head->m_pkthdr.csum_flags) {
++		/* Only check the flags for outbound and ignore the ones for inbound */
++		if (0 == (m_head->m_pkthdr.csum_flags & HV_CSUM_FOR_OUTBOUND)) {
+ 			goto pre_send;
+ 		}
+ 

Added: head/share/security/patches/EN-16:05/hv_netvsc.patch.asc
==============================================================================
Binary file. No diff available.

Added: head/share/security/patches/SA-16:14/openssh-xauth.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-16:14/openssh-xauth.patch	Wed Mar 16 23:10:13 2016	(r48424)
@@ -0,0 +1,62 @@
+--- crypto/openssh/session.c.orig
++++ crypto/openssh/session.c
+@@ -46,6 +46,7 @@
+ 
+ #include <arpa/inet.h>
+ 
++#include <ctype.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
+@@ -274,6 +275,21 @@
+ 	do_cleanup(authctxt);
+ }
+ 
++/* Check untrusted xauth strings for metacharacters */
++static int
++xauth_valid_string(const char *s)
++{
++	size_t i;
++
++	for (i = 0; s[i] != '\0'; i++) {
++		if (!isalnum((u_char)s[i]) &&
++		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
++		    s[i] != '-' && s[i] != '_')
++		return 0;
++	}
++	return 1;
++}
++
+ /*
+  * Prepares for an interactive session.  This is called after the user has
+  * been successfully authenticated.  During this message exchange, pseudo
+@@ -347,7 +363,13 @@
+ 				s->screen = 0;
+ 			}
+ 			packet_check_eom();
+-			success = session_setup_x11fwd(s);
++			if (xauth_valid_string(s->auth_proto) &&
++			    xauth_valid_string(s->auth_data))
++				success = session_setup_x11fwd(s);
++			else {
++				success = 0;
++				error("Invalid X11 forwarding data");
++			}
+ 			if (!success) {
+ 				free(s->auth_proto);
+ 				free(s->auth_data);
+@@ -2178,7 +2200,13 @@
+ 	s->screen = packet_get_int();
+ 	packet_check_eom();
+ 
+-	success = session_setup_x11fwd(s);
++	if (xauth_valid_string(s->auth_proto) &&
++	    xauth_valid_string(s->auth_data))
++		success = session_setup_x11fwd(s);
++	else {
++		success = 0;
++		error("Invalid X11 forwarding data");
++	}
+ 	if (!success) {
+ 		free(s->auth_proto);
+ 		free(s->auth_data);

Added: head/share/security/patches/SA-16:14/openssh-xauth.patch.asc
==============================================================================
Binary file. No diff available.

Added: head/share/security/patches/SA-16:15/sysarch.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-16:15/sysarch.patch	Wed Mar 16 23:10:13 2016	(r48424)
@@ -0,0 +1,13 @@
+--- sys/amd64/amd64/sys_machdep.c.orig
++++ sys/amd64/amd64/sys_machdep.c
+@@ -580,8 +580,8 @@
+ 	struct i386_ldt_args *uap;
+ 	struct user_segment_descriptor *descs;
+ {
+-	int error = 0, i;
+-	int largest_ld;
++	int error = 0;
++	unsigned int largest_ld, i;
+ 	struct mdproc *mdp = &td->td_proc->p_md;
+ 	struct proc_ldt *pldt;
+ 	struct user_segment_descriptor *dp;

Added: head/share/security/patches/SA-16:15/sysarch.patch.asc
==============================================================================
Binary file. No diff available.

Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml	Wed Mar 16 20:30:45 2016	(r48423)
+++ head/share/xml/advisories.xml	Wed Mar 16 23:10:13 2016	(r48424)
@@ -11,6 +11,18 @@
       <name>3</name>
 
       <day>
+        <name>16</name>
+
+        <advisory>
+          <name>FreeBSD-SA-16:15.sysarch</name>
+        </advisory>
+
+        <advisory>
+          <name>FreeBSD-SA-16:14.openssh</name>
+        </advisory>
+      </day>
+
+      <day>
         <name>10</name>
 
         <advisory>

Modified: head/share/xml/notices.xml
==============================================================================
--- head/share/xml/notices.xml	Wed Mar 16 20:30:45 2016	(r48423)
+++ head/share/xml/notices.xml	Wed Mar 16 23:10:13 2016	(r48424)
@@ -8,6 +8,22 @@
     <name>2016</name>
 
     <month>
+      <name>3</name>
+
+      <day>
+        <name>16</name>
+
+        <notice>
+          <name>FreeBSD-EN-16:05.hv_netvsc</name>
+        </notice>
+
+        <notice>
+          <name>FreeBSD-EN-16:04.hyperv</name>
+        </notice>
+      </day>
+    </month>
+
+    <month>
       <name>1</name>
 
       <day>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603162310.u2GNADiH055508>