Date: Wed, 16 Mar 2016 23:10:13 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r48424 - in head/share: security/advisories security/patches/EN-16:04 security/patches/EN-16:05 security/patches/SA-16:14 security/patches/SA-16:15 xml Message-ID: <201603162310.u2GNADiH055508@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius (src committer) Date: Wed Mar 16 23:10:13 2016 New Revision: 48424 URL: https://svnweb.freebsd.org/changeset/doc/48424 Log: Document today updates: FreeBSD-16:04.hyperv FreeBSD-16:05.hv_netvsc FreeBSD-SA-16:14.openssh FreeBSD-SA-16:15.sysarch Added: head/share/security/advisories/FreeBSD-16:04.hyperv.asc (contents, props changed) head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:14.openssh.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc (contents, props changed) head/share/security/patches/EN-16:04/ head/share/security/patches/EN-16:04/hyperv.patch (contents, props changed) head/share/security/patches/EN-16:04/hyperv.patch.asc (contents, props changed) head/share/security/patches/EN-16:05/ head/share/security/patches/EN-16:05/hv_netvsc.patch (contents, props changed) head/share/security/patches/EN-16:05/hv_netvsc.patch.asc (contents, props changed) head/share/security/patches/SA-16:14/ head/share/security/patches/SA-16:14/openssh-xauth.patch (contents, props changed) head/share/security/patches/SA-16:14/openssh-xauth.patch.asc (contents, props changed) head/share/security/patches/SA-16:15/ head/share/security/patches/SA-16:15/sysarch.patch (contents, props changed) head/share/security/patches/SA-16:15/sysarch.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-16:04.hyperv.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-16:04.hyperv.asc Wed Mar 16 23:10:13 2016 (r48424) @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:04.hyperv Errata Notice + The FreeBSD Project + +Topic: Hyper-V KVP (Key-Value Pair) daemon indefinite sleep + +Category: core +Module: hyperv +Announced: 2016-03-16 +Credits: Microsoft Open Source Technology Center(OSTC) +Affects: FreeBSD 10.x +Corrected: 2015-12-18 14:52:12 UTC (stable/10, 10.2-STABLE) + 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14) + 2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +Hyper-V is a native hypervisor running on Windows operating system. It can +run FreeBSD 10.x as guest in virtual machine. + +Data Exchange is an integration service, also known as a key-value pair or +KVP, that can be used to share information between virtual machines and the +Hyper-V host. For more information, see +<URL:https://technet.microsoft.com/en-us/library/dn798287.aspx>. + +II. Problem Description + +The KVP driver code doesn't implement the KVP device's .d_poll callback +correctly: when there is no data available to the user-mode KVP daemon, the +driver forgets to remember the daemon and wake up the daemon later. As a +result, the daemon can't be woken up in a predictable period of time, and +the host side's KVP query can hang for an unexpected period of time and get +timeout, and finally the host can think the VM is irresponsive or unhealthy. + +III. Impact + +When a FreeBSD 10.x virtual machine runs on Hyper-V, the host may not get the +expected response of a KVP query. When a virtual machine runs on Azure, the +host may try to recover the "irresponsive" virtual machine by killing it and +starting it later, causing unnecessary virtual machine downtime. + +IV. Workaround + +Don't run the KVP daemon on a virtual machine. With this, the host will know +that KVP functionality is not working at all, so the host won't try to send KVP +query to virtual machine. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. Reboot is required. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Reboot is required. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-16:04/hyperv.patch +# fetch https://security.FreeBSD.org/patches/EN-16:04/hyperv.patch.asc +# gpg --verify hyperv.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r292438 +releng/10.1/ r296954 +releng/10.2/ r296955 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://technet.microsoft.com/en-us/library/dn798287.aspx>. + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:04.hyperv.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJW6eQmAAoJEO1n7NZdz2rnq+sQAOOnGB826xMwM5xW7a2rnOKV +SDPzC0XXkHhRltJWSaIBi+nhKusMQcuYEaZDG8P5pvugpJfBPDhv2THu9ofEhvB4 +88iT4sFOKi20iXJxrZQM5UT9tPaDoWUCQ9isr4HseotF5Hda4onplGK3/VXq3xGF +tGjgOfnHbhQbXAf7JZwCfjUeIyYYY2VGBscSwDF/AS0Z9vUEudNKnPEZcC5V19LJ +8vZHjknNpchklnaT0UFZwrpFEgpmSU5rtYlH6FbfWYbspqRjEk1Ia2wkasB9im2z +v2vc+qNOqgOMATgatix0yqzXnBkOqi+5ra0MUipXG89l3Yxvekv0mvqQFYRWN7MN +fjPOnP9i2hjoKbbPEArEmYffOFMjxrOTgzLYVxXntOTUFMgGcUXltgjlo/Ov4Fm0 +CfDIDUBlyPlDkemPYiaRinyLim4M3TOll2M6ucnonFuE//sLfU/DEnlz8pf+yJg3 +jeJ7Pi6YKe+YUrTj2kL8shoPWjg00oHCIZua9nFhdHwNURX5XuoPlf84qxeSmumL +lbQ8Dq82zkECJmJe7fGshUyPGlXqN+ValGYtZkuQwS/vq1cxRomvO1naZQDqJuVA +Z15SW63CnsFIYJvK0Dd0v0i3Nw0WYHRRJ5nFo18WIzHs2FZguib1wqiN6D1oRnrH +0YgK0KZFzwWufB7YB0TG +=4BjO +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc Wed Mar 16 23:10:13 2016 (r48424) @@ -0,0 +1,129 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:05.hv_netvsc Errata Notice + The FreeBSD Project + +Topic: hv_netvsc(4) incorrect TCP/IP checksums + +Category: core +Module: hyperv +Announced: 2016-03-16 +Credits: Larry Baird +Affects: FreeBSD 10.2 +Corrected: 2015-12-18 14:56:49 UTC (stable/10, 10.2-STABLE) + 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +Hyper-V is a native hypervisor running on Windows operating system. It can +run FreeBSD 10.x as guest in virtual machine. + +When FreeBSD guest runs on Hyper-V, to get the best network performance, +it usually uses the Hyper-V synthetic network device. The driver of the +network device is called hv_netvsc(4). Since FreeBSD 10.2-RELEASE the +driver supports TCP segmentation and TCP/IP checksum offloading. + +II. Problem Description + +Together with the TCP segmentation and TCP/IP checksum offloading a regression +was introduced. The driver checked the inbound checksum flags when deciding +whether to process checksums or not, while it should have checked the outbound +flags only. + +III. Impact + +If the guest running on Hyper-V is configured as a gateway, the host will +silently drop certain packets from the guest. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. Reboot is required. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Reboot is required. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-16:05/hv_netvsc.patch +# fetch https://security.FreeBSD.org/patches/EN-16:05/hv_netvsc.patch.asc +# gpg --verify hv_netvsc.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r292439 +releng/10.2/ r296955 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203630> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:05.hv_netvsc.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJW6eQyAAoJEO1n7NZdz2rnOdQQANX3NYcoY1uMJEJcOMgfKp52 +OUKUriPdJjEr94Yq/QSGaIp5WyZ5O/hu89LI45DlJMHGxQYJrpQuM1Cyf2QS770u +yrmfTkcJpqmwJpr4pOqQuYUHuAXkUsOeOysOO/2ccP7USFWqdWbgLotbq3JAFwIz +cnPwteAawZ3BZLaDRXgsr9Hhqn5d++YIsYC3mhyGNJJI6LlNG/ihba2Vd8lDu9hv +UVv0WW8yfv851jEv/vhCQmhHcHcIAhzZGLn47Shi4s0833icvPeU+Xc/cpL/wifX +vCPKA53DqdsNCsPQbbfzgCgoxV1iC3zb/4EOUAIpCInS00N4YQeQiJePH7Im56rc +y6LsccIf1otr8xCuRuWsUVXuzrmtDBKDzE2gwMx+YHAEWl7ObhgM1VYYWoYnwBlr +g+M2Wynjcj/rSZUpBdtUFFDNhqFlvrFSXDUEl0MbK4IzwtyOQtQfnCjy6kTqr2yB +czWonmU9tgLtaqkN61b5pBx+jR2oEC4M8HPHuA2LmEKLJrgfePHBIAZ7cPnWaZ4O +L4uP97MPmZEQggQeED5SLTMl3jJUe52H9XDkN8RV8/P3oA/YXBD4prhg4fYvNKQT +VR0pWvlnJNmjaupCBWOfJfG1S8+oOfoTNV5/Fq83LVLW0DPKHVmLtQfS5Rs02745 +VnvCDT/XPOCODW1KdsSc +=vkxR +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:14.openssh.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:14.openssh.asc Wed Mar 16 23:10:13 2016 (r48424) @@ -0,0 +1,153 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:14.openssh Security Advisory + The FreeBSD Project + +Topic: OpenSSH xauth(1) command injection +Category: contrib +Module: OpenSSH +Announced: 2016-03-16 +Credits: +Affects: All supported versions of FreeBSD. +Corrected: 2016-03-12 23:53:20 UTC (stable/10, 10.2-STABLE) + 2016-03-14 13:05:13 UTC (releng/10.3, 10.3-RC2) + 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14) + 2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31) + 2016-03-13 23:50:19 UTC (stable/9, 9.3-STABLE) + 2016-03-16 22:30:03 UTC (releng/9.3, 9.3-RELEASE-p39) +CVE Name: CVE-2016-3115 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +OpenSSH is an implementation of the SSH protocol suite, providing an +encrypted and authenticated transport for a variety of services, +including remote shell access. OpenSSH supports X11 forwarding, +allowing X11 applications on the server to connect to the client's +display. + +When an X11 forwarding session is established, the OpenSSH daemon runs +the xauth tool with information provided by the client to create an +authority file on the server containing information that applications +need in order to connect to the client's X11 display. + +II. Problem Description + +Due to insufficient input validation in OpenSSH, a client which has +permission to establish X11 forwarding sessions to a server can +piggyback arbitrary shell commands on the data intended to be passed +to the xauth tool. + +III. Impact + +An attacker with valid credentials and permission to establish X11 +forwarding sessions can bypass other restrictions which may have been +placed on their account, for instance using ForceCommand directives in +the server's configuration file. + +IV. Workaround + +Disable X11 forwarding globally by adding the following line to +/etc/ssh/sshd_config, before any Match blocks: + + X11Forwarding no + +then either restart the OpenSSH daemon or reboot the system. + +Consult the sshd(8) and sshd_config(5) manual pages for additional +information on how to enable or disable X11 forwarding on a per-user +or per-key basis. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +then either restart the OpenSSH daemon or reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# service sshd restart + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.3] +# fetch https://security.FreeBSD.org/patches/SA-16:14/openssh-xauth.patch +# fetch https://security.FreeBSD.org/patches/SA-16:14/openssh-xauth.patch.asc +# gpg --verify openssh-xauth.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +d) Either restart the OpenSSH daemon or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r296780 +releng/9.3/ r296953 +stable/10/ r296781 +releng/10.1/ r296954 +releng/10.2/ r296955 +releng/10.3/ r296853 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://www.openssh.com/txt/x11fwd.adv> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3115> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:14.openssh.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJW6ePuAAoJEO1n7NZdz2rncF0QAOu5DtldNmqgqr7iwdCguoiB +wTYAenLBBhbj4SoMeqhGd9p6RfoKtgsjt1Pbw/4XXJOIsgvFezm4GvDHWrHCqp14 +3DIJWTxcXcDkRvnqiqUJSDszeM7BYu7G+q8VXEGl0ObMBWfgfsP42jnemx81bI4e +W4Y5/idRvE+6yn7ja3qnNFEB8NfBZOYBV27+tTBiKaZgOt52yWQiFuVIE0WDYS/f +I7Pc5DzMAU5l4bEPRYlniuVKOaGY+JYjbuVW/4af9MU6JYmK3HATtNcAuDi2SsSo +SIpbJeILtyXTi72LClT/Px1GsQi/OIjiE2/7DOtNODyjPnQlRIoHveaaYBZ+WUks +A0hEgaxdDLU+SUHcJKmbdu65eCQtrkdS0vquGnlqd2Q1fqQwwE4U1A2tEgbsGZ6R +fikKBHISZYwhGMkIijy0ImDAD/SzO5UrIsgePM+9PoeGqLRZXKVNCtxaKpA9tO80 +J9MAbLsi7jgzncCGliL6x3m/w6xsJWP//NtyZVF74ydMEh8IuW4n8yrlrZN5cWJa +2rySvewHvdXwlClFzMrAxwRPEo845xmsIvODMpaZplXaIzqNN46WfkBsPZTBkYR4 +xF/YNQkLSjYpbrv9GLfJtDn2+ny5OYkJ/pWhaiN0r7oeBjnbXLz9Y/4sS1rFyIMR +OYy+uH7vcQ7RLXfVgahv +=RZqF +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc Wed Mar 16 23:10:13 2016 (r48424) @@ -0,0 +1,141 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:15.sysarch Security Advisory + The FreeBSD Project + +Topic: Incorrect argument validation in sysarch(2) + +Category: core +Module: kernel +Announced: 2016-03-16 +Credits: Core Security +Affects: All supported versions of FreeBSD. +Corrected: 2016-03-16 22:35:55 UTC (stable/10, 10.2-STABLE) + 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14) + 2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31) + 2016-03-16 22:36:02 UTC (stable/9, 9.3-STABLE) + 2016-03-16 22:30:03 UTC (releng/9.3, 9.3-RELEASE-p39) +CVE Name: CVE-2016-1885 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The IA-32 architecture allows programs to define segments, which provides +based and size-limited view into the program address space. The +memory-resident processor structure, called Local Descriptor Table, +usually abbreviated LDT, contains definitions of the segments. Since +incorrect or malicious segments would breach system integrity, operating +systems do not provide processes direct access to the LDT, instead +they provide system calls which allow controlled installation and removal +of segments. + +II. Problem Description + +A special combination of sysarch(2) arguments, specify a request to +uninstall a set of descriptors from the LDT. The start descriptor +is cleared and the number of descriptors are provided. Due to invalid +use of a signed intermediate value in the bounds checking during argument +validity verification, unbound zero'ing of the process LDT and adjacent +memory can be initiated from usermode. + +III. Impact + +This vulnerability could cause the kernel to panic. In addition it is +possible to perform a local Denial of Service against the system by +unprivileged processes. + +IV. Workaround + +No workaround is available, but only the amd64 architecture is affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Reboot is required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD platforms can be updated +via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Reboot is required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch +# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc +# gpg --verify sysarch.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r296958 +releng/9.3/ r296953 +stable/10/ r296957 +releng/10.1/ r296954 +releng/10.2/ r296955 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1885> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:15.sysarch.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJW6eO/AAoJEO1n7NZdz2rn0UMP/iU/orN0P6+Rsj9hY2B6M0VS +H6CMMVvketkIIWl9oKX9D/G0g/HyD8uFy06qL2OBz+h99h1oaF5ELl4G6TkF69Ra +yOKrLcWnyi3eWLUaPvGkrLakVpG0+pU3QRvBT+d0nsTarOMPq+nhooarMfAluF3p +c3bXEjzn/lTA5T0zTcGS2o9IgORvYrKRIGW0KJDsCWsDgVyWngsJAJdIrzwx022Q +ENoIGmgLnYsx7TY1cuMtdb3TVyJsZv8zjrrmcLzw67Vly7wShs22CKK23ydDDyy9 +xFYsbWA+X8CarV2uSk8xJCIbWjJSlfc9XvOlHLZEiT7PNCZIk2c2fNLENxHvyNl1 +vgIUBoD/wzzS5QqdnT4r726aQt3pNezns1NDxujwUovVn5nQaXnKOTJHsOthDJ99 +PakEMa93iZqOfzbVouBIBH1IPgNLHof9Jdq3wYiKhrQVJXRespdpCfh3/wdph9LB +ElBOTlrCcShV+N6deO4KI2wNK5h704D4hOMsqlInLwGQmGi7qa4ouWASgzQQmU/8 +6va3mJsgCvzHUpRCMQo7pIZm6SnOIYLdg7S4vV7P6q5oOIBnjFa8bK/Cq+zOR42e +gJs9ou65JTTC0KG+26wXaD2Wx8uriO/+ZfCT/YM29FUUqIdayqHxhACjF0lkY83P +02CAQXURVoI7kbjHaGT7 +=jV9z +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-16:04/hyperv.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:04/hyperv.patch Wed Mar 16 23:10:13 2016 (r48424) @@ -0,0 +1,48 @@ +--- sys/dev/hyperv/utilities/hv_kvp.c.orig ++++ sys/dev/hyperv/utilities/hv_kvp.c +@@ -44,6 +44,7 @@ + #include <sys/reboot.h> + #include <sys/lock.h> + #include <sys/taskqueue.h> ++#include <sys/selinfo.h> + #include <sys/sysctl.h> + #include <sys/poll.h> + #include <sys/proc.h> +@@ -114,6 +115,8 @@ + static struct hv_kvp_msg *hv_kvp_dev_buf; + struct proc *daemon_task; + ++static struct selinfo hv_kvp_selinfo; ++ + /* + * Global state to track and synchronize multiple + * KVP transaction requests from the host. +@@ -628,6 +631,9 @@ + + /* Send the msg to user via function deamon_read - setting sema */ + sema_post(&kvp_globals.dev_sema); ++ ++ /* We should wake up the daemon, in case it's doing poll() */ ++ selwakeup(&hv_kvp_selinfo); + } + + +@@ -940,7 +946,7 @@ + * for daemon to read. + */ + static int +-hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td __unused) ++hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td) + { + int revents = 0; + +@@ -953,6 +959,9 @@ + */ + if (kvp_globals.daemon_busy == true) + revents = POLLIN; ++ else ++ selrecord(td, &hv_kvp_selinfo); ++ + mtx_unlock(&kvp_globals.pending_mutex); + + return (revents); Added: head/share/security/patches/EN-16:04/hyperv.patch.asc ============================================================================== Binary file. No diff available. Added: head/share/security/patches/EN-16:05/hv_netvsc.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:05/hv_netvsc.patch Wed Mar 16 23:10:13 2016 (r48424) @@ -0,0 +1,28 @@ +--- sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c.orig ++++ sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c +@@ -128,6 +128,15 @@ + #define HV_NV_SC_PTR_OFFSET_IN_BUF 0 + #define HV_NV_PACKET_OFFSET_IN_BUF 16 + ++/* ++ * A unified flag for all outbound check sum flags is useful, ++ * and it helps avoiding unnecessary check sum calculation in ++ * network forwarding scenario. ++ */ ++#define HV_CSUM_FOR_OUTBOUND \ ++ (CSUM_IP|CSUM_IP_UDP|CSUM_IP_TCP|CSUM_IP_SCTP|CSUM_IP_TSO| \ ++ CSUM_IP_ISCSI|CSUM_IP6_UDP|CSUM_IP6_TCP|CSUM_IP6_SCTP| \ ++ CSUM_IP6_TSO|CSUM_IP6_ISCSI) + + /* + * Data types +@@ -570,7 +579,8 @@ + packet->vlan_tci & 0xfff; + } + +- if (0 == m_head->m_pkthdr.csum_flags) { ++ /* Only check the flags for outbound and ignore the ones for inbound */ ++ if (0 == (m_head->m_pkthdr.csum_flags & HV_CSUM_FOR_OUTBOUND)) { + goto pre_send; + } + Added: head/share/security/patches/EN-16:05/hv_netvsc.patch.asc ============================================================================== Binary file. No diff available. Added: head/share/security/patches/SA-16:14/openssh-xauth.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:14/openssh-xauth.patch Wed Mar 16 23:10:13 2016 (r48424) @@ -0,0 +1,62 @@ +--- crypto/openssh/session.c.orig ++++ crypto/openssh/session.c +@@ -46,6 +46,7 @@ + + #include <arpa/inet.h> + ++#include <ctype.h> + #include <errno.h> + #include <fcntl.h> + #include <grp.h> +@@ -274,6 +275,21 @@ + do_cleanup(authctxt); + } + ++/* Check untrusted xauth strings for metacharacters */ ++static int ++xauth_valid_string(const char *s) ++{ ++ size_t i; ++ ++ for (i = 0; s[i] != '\0'; i++) { ++ if (!isalnum((u_char)s[i]) && ++ s[i] != '.' && s[i] != ':' && s[i] != '/' && ++ s[i] != '-' && s[i] != '_') ++ return 0; ++ } ++ return 1; ++} ++ + /* + * Prepares for an interactive session. This is called after the user has + * been successfully authenticated. During this message exchange, pseudo +@@ -347,7 +363,13 @@ + s->screen = 0; + } + packet_check_eom(); +- success = session_setup_x11fwd(s); ++ if (xauth_valid_string(s->auth_proto) && ++ xauth_valid_string(s->auth_data)) ++ success = session_setup_x11fwd(s); ++ else { ++ success = 0; ++ error("Invalid X11 forwarding data"); ++ } + if (!success) { + free(s->auth_proto); + free(s->auth_data); +@@ -2178,7 +2200,13 @@ + s->screen = packet_get_int(); + packet_check_eom(); + +- success = session_setup_x11fwd(s); ++ if (xauth_valid_string(s->auth_proto) && ++ xauth_valid_string(s->auth_data)) ++ success = session_setup_x11fwd(s); ++ else { ++ success = 0; ++ error("Invalid X11 forwarding data"); ++ } + if (!success) { + free(s->auth_proto); + free(s->auth_data); Added: head/share/security/patches/SA-16:14/openssh-xauth.patch.asc ============================================================================== Binary file. No diff available. Added: head/share/security/patches/SA-16:15/sysarch.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:15/sysarch.patch Wed Mar 16 23:10:13 2016 (r48424) @@ -0,0 +1,13 @@ +--- sys/amd64/amd64/sys_machdep.c.orig ++++ sys/amd64/amd64/sys_machdep.c +@@ -580,8 +580,8 @@ + struct i386_ldt_args *uap; + struct user_segment_descriptor *descs; + { +- int error = 0, i; +- int largest_ld; ++ int error = 0; ++ unsigned int largest_ld, i; + struct mdproc *mdp = &td->td_proc->p_md; + struct proc_ldt *pldt; + struct user_segment_descriptor *dp; Added: head/share/security/patches/SA-16:15/sysarch.patch.asc ============================================================================== Binary file. No diff available. Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Wed Mar 16 20:30:45 2016 (r48423) +++ head/share/xml/advisories.xml Wed Mar 16 23:10:13 2016 (r48424) @@ -11,6 +11,18 @@ <name>3</name> <day> + <name>16</name> + + <advisory> + <name>FreeBSD-SA-16:15.sysarch</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-16:14.openssh</name> + </advisory> + </day> + + <day> <name>10</name> <advisory> Modified: head/share/xml/notices.xml ============================================================================== --- head/share/xml/notices.xml Wed Mar 16 20:30:45 2016 (r48423) +++ head/share/xml/notices.xml Wed Mar 16 23:10:13 2016 (r48424) @@ -8,6 +8,22 @@ <name>2016</name> <month> + <name>3</name> + + <day> + <name>16</name> + + <notice> + <name>FreeBSD-EN-16:05.hv_netvsc</name> + </notice> + + <notice> + <name>FreeBSD-EN-16:04.hyperv</name> + </notice> + </day> + </month> + + <month> <name>1</name> <day>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603162310.u2GNADiH055508>