From owner-svn-doc-all@freebsd.org Tue Dec 1 19:53:42 2020 Return-Path: Delivered-To: svn-doc-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 58ED64B2E1F; Tue, 1 Dec 2020 19:53:42 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Clt861yJHz4nhY; Tue, 1 Dec 2020 19:53:42 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 35A821B509; Tue, 1 Dec 2020 19:53:42 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0B1JrgOD016966; Tue, 1 Dec 2020 19:53:42 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0B1JreFr016958; Tue, 1 Dec 2020 19:53:40 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <202012011953.0B1JreFr016958@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 1 Dec 2020 19:53:40 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r54726 - in head/share: security/advisories security/patches/EN-20:19 security/patches/EN-20:20 security/patches/EN-20:21 security/patches/EN-20:22 security/patches/SA-20:31 security/pa... X-SVN-Group: doc-head X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in head/share: security/advisories security/patches/EN-20:19 security/patches/EN-20:20 security/patches/EN-20:21 security/patches/EN-20:22 security/patches/SA-20:31 security/patches/SA-20:32 xml X-SVN-Commit-Revision: 54726 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2020 19:53:42 -0000 Author: gordon (src committer) Date: Tue Dec 1 19:53:40 2020 New Revision: 54726 URL: https://svnweb.freebsd.org/changeset/doc/54726 Log: Add EN-20:19 to EN-20:22, SA-20:31, and SA-20:32. Approved by: so Added: head/share/security/advisories/FreeBSD-EN-20:19.audit.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-20:20.tzdata.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-20:21.ipfw.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-20:22.callout.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-20:31.icmp6.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-20:32.rtsold.asc (contents, props changed) head/share/security/patches/EN-20:19/ head/share/security/patches/EN-20:19/audit.12.1.patch (contents, props changed) head/share/security/patches/EN-20:19/audit.12.1.patch.asc (contents, props changed) head/share/security/patches/EN-20:19/audit.12.2.patch (contents, props changed) head/share/security/patches/EN-20:19/audit.12.2.patch.asc (contents, props changed) head/share/security/patches/EN-20:20/ head/share/security/patches/EN-20:20/tzdata-2020d.patch (contents, props changed) head/share/security/patches/EN-20:20/tzdata-2020d.patch.asc (contents, props changed) head/share/security/patches/EN-20:21/ head/share/security/patches/EN-20:21/ipfw.patch (contents, props changed) head/share/security/patches/EN-20:21/ipfw.patch.asc (contents, props changed) head/share/security/patches/EN-20:22/ head/share/security/patches/EN-20:22/callout.12.1.patch (contents, props changed) head/share/security/patches/EN-20:22/callout.12.1.patch.asc (contents, props changed) head/share/security/patches/EN-20:22/callout.12.2.patch (contents, props changed) head/share/security/patches/EN-20:22/callout.12.2.patch.asc (contents, props changed) head/share/security/patches/SA-20:31/ head/share/security/patches/SA-20:31/icmp6.11.4.patch (contents, props changed) head/share/security/patches/SA-20:31/icmp6.11.4.patch.asc (contents, props changed) head/share/security/patches/SA-20:31/icmp6.12.1.patch (contents, props changed) head/share/security/patches/SA-20:31/icmp6.12.1.patch.asc (contents, props changed) head/share/security/patches/SA-20:31/icmp6.12.2.patch (contents, props changed) head/share/security/patches/SA-20:31/icmp6.12.2.patch.asc (contents, props changed) head/share/security/patches/SA-20:32/ head/share/security/patches/SA-20:32/rtsold.patch (contents, props changed) head/share/security/patches/SA-20:32/rtsold.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-20:19.audit.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-20:19.audit.asc Tue Dec 1 19:53:40 2020 (r54726) @@ -0,0 +1,142 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:19.audit Errata Notice + The FreeBSD Project + +Topic: execve/fexecve system call auditing + +Category: core +Module: kernel +Announced: 2020-12-01 +Affects: FreeBSD 12.1 and later. +Corrected: 2020-10-27 13:13:04 UTC (stable/12, 12.2-STABLE) + 2020-12-01 19:34:45 UTC (releng/12.2, 12.2-RELEASE-p1) + 2020-12-01 19:34:45 UTC (releng/12.1, 12.1-RELEASE-p11) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The audit(4) facility allows a system administrator to audit +security-relevant events. System calls are one such security-related event, +and the audit(4) facility will record whether the system call was successful +along with other important details. + +II. Problem Description + +All execve/fexecve system calls in affected versions will be reported as a +failure, even upon successful execution. For affected kernels, the exact +error reported is EJUSTRETURN, 201, or "Just return" depending on the tooling +used. These can safely be considered successful returns for the fexecve and +execve system calls. Note that audit trails that were produced by kernels +starting with FreeBSD 12.0 will exhibit this problem. + +III. Impact + +It is important to be able to determine when a process is, for instance, +executing a shell. Such events may be indicative of an intrusion if they +are not expected. Failure to report such an execution as successful may +result in intrusions that are no longer detectable. + +IV. Workaround + +No workaround is available. This error is irrelevant for system +administrators that do not use the audit(4) facility. Users of the +audit(4) facility could detect the specific error that is being +returned as success, but this may complicate auditing as all failures +must be recorded. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.2] +# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.2.patch +# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.2.patch.asc +# gpg --verify audit.12.2.patch.asc + +[FreeBSD 12.1] +# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.1.patch +# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.1.patch.asc +# gpg --verify audit.12.1.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r367080 +releng/12.2/ r368249 +releng/12.1/ r368249 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GnclfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKqdBAAjBubNRAnzviekLybf9W6QnFT+9LrdoHEKM0epXT7GxHeGdKSbWwJPvaO +PmogRZ88uPOvaRVYIjGLXjJf48zA6D5LuQrVre0BEICVsLEaKcoQpwqOgtSKroI4 +LguI26tLC/TmzWMid7CUeDOxzY0yg+t8QWPvrc9kDCZVqDFjrWtUDurLYM50p8Rm +FHfbWgFg0g3ytPF6k7DuafDrSJIs0lULwOtAPBrYR5chTr3/quc6onU99B6oxo4K +rRe4Se458M3Gm637lADAqqyRXtzwMXZ+bJBRFjdMZb3gn6QSRphHluXosv9EWwZe +FV5muyouYzxObkE4ev8dXF8Xx6LyuWfYLj5r064DRS7oFIZjIc/5F3wUITmkzCSc +iqOPZ545JO2Mxd5JwgA6QMy1YagHJb4MKDpwoQG5EHdNSSIRxRy9SEnyyxB/boMw +c65iw+SXM6ln+iAoFO9tyoLF5ek9OFRMH/1hemkY82eECcMA2m8/taSHb3++YOQr +7tmGjBZpynj/xDLQKwQiOrz5bVSPkWFc/4q9yQWAg/IoRPs+j/bsu1QoFlZX5b/8 +/161dxwjs5ZLsTj+/oV/cBKQSWIFkSkbaK61ZAdrysXmGHB1jJ6OZDlsXK9kptHr +XavfRbYVCs8tB6NmWWEcfRQvLso20u+9zLO2X0yGz0+XEpKNU4k= +=QTo/ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-20:20.tzdata.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-20:20.tzdata.asc Tue Dec 1 19:53:40 2020 (r54726) @@ -0,0 +1,148 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:20.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2020-12-01 +Affects: All supported versions of FreeBSD. +Corrected: 2020-10-23 01:06:33 UTC (stable/12, 12.1-STABLE) + 2020-12-01 19:35:48 UTC (releng/12.2, 12.2-RELEASE-p1) + 2020-12-01 19:35:48 UTC (releng/12.1, 12.1-RELEASE-p11) + 2020-10-23 01:06:42 UTC (stable/11, 11.4-STABLE) + 2020-12-01 19:35:48 UTC (releng/11.4, 11.4-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The tzsetup(8) program allows the user to specify the default local timezone. +Based on the selected timezone, tzsetup(8) copies one of the files from +/usr/share/zoneinfo to /etc/localtime. This file actually controls the +conversion. + +II. Problem Description + +Several changes in Daylight Saving Time happened after previous FreeBSD +releases were released that would affect many people who live in different +parts of the world. Because of these changes, the data in the zoneinfo files +need to be updated, and if the local timezone on the running system is +affected, tzsetup(8) needs to be run so the /etc/localtime is updated. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected timezones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated timezone database from the +misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected. + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +V. Solution + +Please note that some third party software, for instance PHP, Ruby, Java and +Perl, may be using different zoneinfo data source, in such cases this +software must be updated separately. For software packages that is installed +via binary packages, they can be upgraded by executing `pkg upgrade'. + +Following the instructions in this Errata Notice will update all of the +zoneinfo files to be the same as what was released with FreeBSD release. + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. Restart all the affected +applications and daemons, or reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-20:20/tzdata-2020d.patch +# fetch https://security.FreeBSD.org/patches/EN-20:20/tzdata-2020d.patch.asc +# gpg --verify tzdata-2020d.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r366956 +releng/12.2/ r368251 +releng/12.1/ r368251 +stable/11/ r366957 +releng/11.4/ r368251 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLWBw/9HeAWb+xuxt8CdZUD+99vXFdHb8gLSFrlFZbHnjDwrGhz4yrAzO/3NFxh +j+DQugxxUgLvJpm3W+sYAwqO7TjJE2DkG2BV2r4vdMCax3YpkPqvuk/3oYdVy+nm +c0LTJDwHLWhluO7nrA3v49yOPICMGW1Xb7S7hNPHQaRCEVfP3hI61LM9sHAEp3zW +Q44qWfeXK46grCCbviDI+GVYmQr3/b5QJbvLidzIAz+XTToD88+DDgaowwg8GuUn +9v29aT8LjLB2XNYxRr3CZ5khdZTT5q+CGWSb0VvKHKaRgFMNLYw7gTKDOFTBQi0x +utonkT5Jsxq6kqHbp9drA6LMvUzWOThrabxCaJEk5p7t5FQWtYUfDTsspThwS54e +6n2cSCNg8j3eW6YVF7CVvCrUEsXejA/bv0ZW0M896oy5xizTKa6Yjh1llqNvpJ1h +jW9UrxtI4oGQ+Q2cUc7+85P7ddNQ/wO/SHIRVcKPHVBbs8u0YAikGjUzEhWR/pDD +tzUpNR3UTOIq96h1J+sK+jxk7arw6gCIksNDCKo3AI2DoXTe12K2OdG88OKW/t5P +iZZZufbAvY88SdKSGlBHbSXZLiMB+uH1NTI2Fab4XIetXdZq/5TPX7rRmlINS8nd +LMqCDSsVhjaUR6E1D3pOamo3n8IZgiluxqx7JZ2m9p0nKMjHDZo= +=gsQm +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-20:21.ipfw.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-20:21.ipfw.asc Tue Dec 1 19:53:40 2020 (r54726) @@ -0,0 +1,118 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:21.ipfw Errata Notice + The FreeBSD Project + +Topic: Uninitialized variable in ipfw + +Category: core +Module: ipfw +Announced: 2020-12-01 +Affects: FreeBSD 12.2 +Corrected: 2020-10-18 20:54:15 UTC (stable/12, 12.2-STABLE) + 2020-12-01 19:36:36 UTC (releng/12.2, 12.2-RELEASE-p1) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +ipfw(8) is the command-line utility used to configure the ipfw(4) firewall. + +II. Problem Description + +A regression in FreeBSD 12.2 meant that ipfw(8) fwd commands referencing +specific port numbers may configure the firewall incorrectly. + +III. Impact + +Forwarding rules referencing port numbers may not work as configured. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-20:21/ipfw.patch +# fetch https://security.FreeBSD.org/patches/EN-20:21/ipfw.patch.asc +# gpg --verify ipfw.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r366816 +releng/12.2/ r368252 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLY3w/8DpeBoG7dMm3m60BFStxuQMkUKwuMNiYXVOADLIACLW5F8fRxleAiMh1n +09YHHO/OfoGuuI8FkviqUfwBQsX9ljY8x35/UUZtf19YTllKvmz8gTTAVYmkO0g/ +ohEZBMsA9h9Wfnn51/CVziTtO597mbLsJrt+lXnYVJLUIFdf6VNbK719ZtUOq53v +5mMKaFqyZJzDTouXePPVirvsiM5a2S7qVSoWTDEgog6iYxvEeXhd4Mtbaxbl2UW5 +JJ1ZUycIUECCu2MI09JxZhRaRLnUA4RfzGIu63wxUJtfiKyIK0Afn3Gm/nyF+Sop +X/rm7jg1DDdqMd55QdG9AchI4D4C0DcJbTo4r8OSRFzmwQlTAsfOAlrH3ov+E+0f +rZ8SN2gjR/y+cdWQJxQ04pGh9NJkdrWMZJdZ047NnO8jF25rSN3iMgY6PydhE5TT +JKZXcfjTUqGeFveeMqdaZ5uoUyKaE/DnrNimv7Y4tcY0dsRIVIZQb6ml1dJdrkCG +6R5/yboAp2m9dtkplGUOo7cRae8bxXTQteANhZJYT3dqKDMKUJCw6ZShmr0pg2Of +KASqUMdHYSIyGoUaQ+Pd3s5UweuG8NEZt+p302qbn8cBCncMioibZqUJyo0lt/zn +jVFCZuepLOSGH7u0hYvlizkpbsXkUraBkQOTelqYyxXGoWF7WQg= +=N2u/ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-20:22.callout.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-20:22.callout.asc Tue Dec 1 19:53:40 2020 (r54726) @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:22.callout Errata Notice + The FreeBSD Project + +Topic: Race condition in callout CPU migration + +Category: core +Module: callout +Announced: 2020-12-01 +Affects: FreeBSD 12.1 and 12.2 +Corrected: 2020-11-26 14:57:30 UTC (stable/12, 12.2-STABLE) + 2020-12-01 19:37:33 UTC (releng/12.2, 12.2-RELEASE-p1) + 2020-12-01 19:37:33 UTC (releng/12.1, 12.1-RELEASE-p11) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The callout(9) kernel subsystem is used by other kernel subsystems to request +execution of a function following a specified timeout. callout(9) implements +an interface which allows a pending callout to be stopped. + +II. Problem Description + +Callouts may be bound to a specific CPU, in which case that CPU is +responsible for raising the timer interrupt which schedules execution of the +callout. + +A kernel thread may attempt to stop a callout while it is actively executing, +in which case the thread goes to sleep until execution has completed. In the +meantime the callout may be re-scheduled and re-executed on a different CPU. +In this scenario, when the sleeping thread finally completes removal of the +callout from some internal data structures, it may modify the wrong CPU's +data structures and thus leave them in an invalid state. + +III. Impact + +The bug may result in kernel panics under some workloads, typically in the +softclock threads. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.2] +# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.2.patch +# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.2.patch.asc +# gpg --verify callout.12.2.patch.asc + +[FreeBSD 12.1] +# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.1.patch +# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.1.patch.asc +# gpg --verify callout.12.1.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r368057 +releng/12.2/ r368254 +releng/12.1/ r368254 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJUHxAAg1Mw+GeweWrKv/qaDymHW6YTGF8/y1qJ9YQKhVZ4QCtFMX2E467Slh35 +sVOtfVsfUxKmwsKfdEM93sw9uSjj6///TodhF9vJMKGk/uVpF+PHrnFLtD+2VONs +jhAtH1R5tatIQEZeijaGBGizxXQRN2y2PqUQfKBNIqO5u06rG3KonNI+Cx1TGKm1 +4R0ua06s0i2WpTsdW6AMszJqD3WbvlV7W5aM5pRfWtGM/OFksBKp/ScJ4J/MdOhh +11g4RsbvPvxGwBMad32TDV9Npjmkcjy65Ro92RUHAkDOT9Eftt18w1JYNaOxl+/p +fcS7cLBjdXJgvARJ57turXEiQT03SemG7yu9mr3SB//2Kh/RNVE5KFZev+i1kZOe +98NS8+AYNyN3ovg5ceESuXBpVM+T+mFMu6NLfNFSfgfd0OneNSiiB0uDt2B07TWN +LM0bz3vrq91GSnf7EZWppx/f3e8wIT0lBXcpJMJo9T56096ewoPMx9C5/RNqcrpL +LskXRnwi8od0o8nw7nDWYlIGiAfWkwzXm5slvKA0v2c9qVsyB7OWtGtS+YonOb4c +Eyc5b14MoRb9Y4J/fZHm3gWDVP9OQDWxyRTXvLZq8QCYmOYFoXspIM6kM5geOIZH +S/X3Xl671coCtCJcQVQJShMwgEcEeUCtJcKEOJ+gC3f60E0aLS0= +=l7SY +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-20:31.icmp6.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-20:31.icmp6.asc Tue Dec 1 19:53:40 2020 (r54726) @@ -0,0 +1,152 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:31.icmp6 Security Advisory + The FreeBSD Project + +Topic: ICMPv6 use-after-free in error message handling + +Category: core +Module: icmp6 +Announced: 2020-12-01 +Credits: Maxime Villard +Affects: All supported versions of FreeBSD. +Corrected: 2020-11-05 22:41:54 UTC (stable/12, 12.2-STABLE) + 2020-12-01 19:38:52 UTC (releng/12.2, 12.2-RELEASE-p1) + 2020-12-01 19:38:52 UTC (releng/12.1, 12.1-RELEASE-p11) + 2020-12-01 03:07:26 UTC (stable/11, 11.4-STABLE) + 2020-12-01 19:38:52 UTC (releng/11.4, 11.4-RELEASE-p5) +CVE Name: CVE-2020-7469 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +ICMPv6 is the ICMP protocol for IPv6. It is used to transmit informational +and error messages between IPv6 hosts. + +II. Problem Description + +When an ICMPv6 error message is received, the FreeBSD ICMPv6 stack may +extract information from the message to hand to upper-layer protocols. As a +part of this operation, it may parse IPv6 header options from a packet +embedded in the ICMPv6 message. + +The handler for a routing option caches a pointer into the packet buffer +holding the ICMPv6 message. However, when processing subsequent options the +packet buffer may be freed, rendering the cached pointer invalid. The +network stack may later dereference the pointer, potentially triggering a +use-after-free. + +III. Impact + +A remote host may be able to trigger a read of freed kernel memory. This may +trigger a kernel panic if the address had been unmapped. + +IV. Workaround + +Systems with IPv6 disabled are not affected. No workaround is available +except to disable IPv6 on the system's network interfaces. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date and +reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.2] +# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.2.patch +# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.2.patch.asc +# gpg --verify icmp6.12.2.patch.asc + +[FreeBSD 12.1] +# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.1.patch +# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.1.patch.asc +# gpg --verify icmp6.12.1.patch.asc + +[FreeBSD 11.4] +# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.11.4.patch +# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.11.4.patch.asc +# gpg --verify icmp6.11.4.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r367402 +releng/12.2/ r368255 +releng/12.1/ r368255 +stable/11/ r368202 +releng/11.4/ r368255 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIE8g//d4TXo4cXH4H0k6Et5lCoKz7R+x/wE6EuTymvKOiYyvwGwk3TZnLwhSSr ++FmwYMa0nQfHl3JdbUFYcQdA8Q/mvh0OZf55icRRHwchA+V9ENzuN8DqP1FPbL09 +Ar3Q7osE2LyblTX9vOF0KYNWT+OmUZE5BDHEJ+OD5TKV2xWMkrksVOylXdKKgNyK +Umc3uccud3nvBlrIeP5SiNewCP06/SEZkSovFI1QKCVJGs4hCO97Es0RWiY9MkPG +JcUOdCsYVrvfcWNeRkcAqnH/vgWQYBumSW15ldNGIrMaUAi0DiDTisFIifPI1z8T +j+WmxN2IGvjYQzLBLhpJqq9Ox1OUD2R6Q0YSsndMHgf2bo1HheVUtQlBPMOq/V/8 +I74Ppu2NPxdh2ocUzk60XaNZ2PuZhqkDMOLqZLcKNEe7m94ImzfNxtDGyRkEwpbw +/Vu4ysFrHQR4derU3c9TV+LJwCYaoNw//0WKpcycnqfvb/y5dWgOc3sBf5zwiuRL +NNwRnnRK/gaGoigJxm/Ev2SNsJDLs0g7IuscwYPRtadi1eUTeKeJFg3yvSVTYRov +tGPIhWYmWvOmKSg8ZGIAnTcXeNleyymw+vi6l0gHtwcLJ0AjdbVEWZ3FCy7XvD3c +yRbkJ4ORllto95caGGtzHDj0CMShYaOMNhrf+QrEYDRMB8jfXh0= +=a0pv +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-20:32.rtsold.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-20:32.rtsold.asc Tue Dec 1 19:53:40 2020 (r54726) @@ -0,0 +1,156 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:32.rtsold Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in rtsold + +Category: core +Module: rtsold +Announced: 2020-12-01 +Credits: Quarkslab Vulnerability Reports +Affects: All supported versions of FreeBSD +Corrected: 2020-12-01 19:35:48 UTC (stable/12, 12.2-STABLE) + 2020-12-01 19:39:44 UTC (releng/12.2, 12.2-RELEASE-p1) + 2020-12-01 19:39:44 UTC (releng/12.1, 12.1-RELEASE-p11) + 2020-12-01 19:36:37 UTC (stable/11, 11.4-STABLE) + 2020-12-01 19:39:44 UTC (releng/11.4, 11.4-RELEASE-p5) +CVE Name: CVE-2020-25577 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +As part of the stateless address autoconfiguration (SLAAC) mechanism, IPv6 +routers periodically broadcast router advertisement messages on attached +networks to inform hosts of the correct network prefix, router address and +MTU, as well as additional network parameters such as the DNS servers +(RDNSS), DNS search list (DNSSL) and whether a stateful configuration service +is available. Hosts that have recently joined the network can broadcast a +router solicitation message to solicit an immediate advertisement instead of +waiting for the next periodic advertisement. + +The router solicitation daemon, rtsold(8), broadcasts router solicitation +messages at startup or when the state of an interface changes from passive to +active. Incoming router advertisement messages are first processed by the +kernel and then passed on to rtsold(8), which handles the DNS and stateful +configuration options. + +II. Problem Description + +Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling. First, +rtsold(8) failed to perform sufficient bounds checking on the extent of the +option. In particular, it does not verify that the option does not extend +past the end of the received packet before processing its contents. The +kernel currently ignores such malformed packets but still passes them to +userspace programs. + +Second, when processing a DNSSL option, rtsold(8) decodes domain name labels +per an encoding specified in RFC 1035 in which the first octet of each label +contains the label's length. rtsold(8) did not validate label lengths +correctly and could overflow the destination buffer. + +III. Impact + +It is believed that these bugs could be exploited to gain remote code +execution within the rtsold(8) daemon, which runs as root. Note that +rtsold(8) only processes messages received from hosts attached to the same +physical link as the interface(s) on which rtsold(8) is listening. + +In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the scope of a +compromised rtsold(8) process. + +IV. Workaround + +No workaround is available, but systems that do not run rtsold(8) are not +affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:32/rtsold.patch +# fetch https://security.FreeBSD.org/patches/SA-20:32/rtsold.patch.asc +# gpg --verify rtsold.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r368250 +releng/12.2/ r368256 +releng/12.1/ r368256 +stable/11/ r368253 +releng/11.4/ r368256 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIUXQ/+K/FAB22beBBiOUDaRMF0n4a/umwvwX2BAy7PsLIzRcYL8ydhvTWPXQnU +KssmRoi0eobczpIYgIqTDNDTI46UErEvfoCBTIiY+uedER77FKxesfnO/9S3owvh +8uP+WCMzZXRfNvIYqEsK43ipm3LL4rDfUNLEdeFj0bLlwEwiTJaXsdLayJ3KpanN +A3ykePDXnQD41BcDcotvzSV6r7o5dbCILI4K4zEOSCAXBP1Du16J/K/aHOWahJ20 +Ex6YFg0llH3VkAVE9iGdHLGFqakjobUhm+LzV9ShAkXZqZs3Hx+p8dfM4w7aicCM +f6Nn0rLlb4ZdSmMnbsexoZZwO0v2dQNHd1EEtQD6zjJfey1auJKJLTcLoWXH+3mm +w5eOjjmqdOkab0h224q8jidhgyUm1c8By5H5aZ79y5SpRG0mfuS82Z6uIAf0KKZ3 +uIzPswc0YtI30M638ZCKCug3gxwZu4EG7P08/Ab4B0fpyfqqLy6KVsMdH6w64R6+ +64twgiVPuM3DpokvTfdcQLp13IHeMJwkpdc/SICyg3NDAFJZMcIe6eqjko5FsNnH +RSjA0SHRKyl303OLR+jUHe64m+LISyNne+fC1VoThbqQ1f5nWX9PlF4VjRu30Wz4 +8VcmRCehMT1G1aIEGG74zKDeWDP6+bGeieBU7Pa/jfr/aI88Hw0= +=5tIC +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-20:19/audit.12.1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-20:19/audit.12.1.patch Tue Dec 1 19:53:40 2020 (r54726) @@ -0,0 +1,139 @@ +--- sys/amd64/linux/linux_machdep.c.orig ++++ sys/amd64/linux/linux_machdep.c +@@ -81,6 +81,8 @@ + #include + #include + ++#include ++ + #include + #include + #include +@@ -107,6 +109,7 @@ + free(path, M_TEMP); + if (error == 0) + error = linux_common_execve(td, &eargs); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/amd64/linux32/linux32_machdep.c.orig ++++ sys/amd64/linux32/linux32_machdep.c +@@ -69,6 +69,8 @@ + #include + #include + ++#include ++ + #include + #include + #include +@@ -143,6 +145,7 @@ + free(path, M_TEMP); + if (error == 0) + error = linux_common_execve(td, &eargs); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/arm64/linux/linux_machdep.c.orig ++++ sys/arm64/linux/linux_machdep.c +@@ -38,6 +38,8 @@ + #include + #include + ++#include ++ + #include + #include + #include +@@ -74,6 +76,7 @@ + free(path, M_TEMP); + if (error == 0) + error = linux_common_execve(td, &eargs); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/compat/freebsd32/freebsd32_misc.c.orig ++++ sys/compat/freebsd32/freebsd32_misc.c +@@ -440,6 +440,7 @@ + if (error == 0) + error = kern_execve(td, &eargs, NULL); + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +@@ -460,6 +461,7 @@ + error = kern_execve(td, &eargs, NULL); + } + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/i386/linux/linux_machdep.c.orig ++++ sys/i386/linux/linux_machdep.c +@@ -61,6 +61,8 @@ + #include + #include + ++#include ++ + #include + #include + #include +@@ -116,6 +118,7 @@ + free(newpath, M_TEMP); + if (error == 0) + error = linux_common_execve(td, &eargs); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/kern/kern_exec.c.orig ++++ sys/kern/kern_exec.c +@@ -224,6 +224,7 @@ + if (error == 0) + error = kern_execve(td, &args, NULL); + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +@@ -251,6 +252,7 @@ + error = kern_execve(td, &args, NULL); + } + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +@@ -279,6 +281,7 @@ + if (error == 0) + error = kern_execve(td, &args, uap->mac_p); + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + #else + return (ENOSYS); +--- sys/kern/subr_syscall.c.orig ++++ sys/kern/subr_syscall.c +@@ -133,6 +133,16 @@ + + AUDIT_SYSCALL_ENTER(sa->code, td); + error = (sa->callp->sy_call)(td, sa->args); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***