Date: Wed, 24 Feb 2021 05:53:50 GMT From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: 516370df65 - main - Add EN-21:06 to EN-21:08 and SA-21:03 to SA-21:06. Message-ID: <202102240553.11O5rogr087689@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by gordon (src committer): URL: https://cgit.FreeBSD.org/doc/commit/?id=516370df6584390f8886526c148cc83437d07cad commit 516370df6584390f8886526c148cc83437d07cad Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2021-02-24 05:53:31 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2021-02-24 05:53:31 +0000 Add EN-21:06 to EN-21:08 and SA-21:03 to SA-21:06. Approved by: so --- website/data/security/advisories.toml | 16 + website/data/security/errata.toml | 12 + .../advisories/FreeBSD-EN-21:06.microcode.asc | 128 ++ .../advisories/FreeBSD-EN-21:07.caroot.asc | 121 ++ .../advisories/FreeBSD-EN-21:08.freebsd-update.asc | 126 ++ .../FreeBSD-SA-21:03.pam_login_access.asc | 144 ++ .../advisories/FreeBSD-SA-21:04.jail_remove.asc | 161 ++ .../advisories/FreeBSD-SA-21:05.jail_chdir.asc | 162 ++ .../security/advisories/FreeBSD-SA-21:06.xen.asc | 154 ++ .../security/patches/EN-21:06/microcode.patch | 11 + .../security/patches/EN-21:06/microcode.patch.asc | 16 + .../static/security/patches/EN-21:07/caroot.patch | 2145 ++++++++++++++++++++ .../security/patches/EN-21:07/caroot.patch.asc | 16 + .../security/patches/EN-21:08/freebsd-update.patch | 23 + .../patches/EN-21:08/freebsd-update.patch.asc | 16 + .../patches/SA-21:03/pam_login_access.patch | 16 + .../patches/SA-21:03/pam_login_access.patch.asc | 16 + .../security/patches/SA-21:04/jail_remove.13.patch | 95 + .../patches/SA-21:04/jail_remove.13.patch.asc | 16 + .../security/patches/SA-21:04/jail_remove.patch | 66 + .../patches/SA-21:04/jail_remove.patch.asc | 16 + .../security/patches/SA-21:05/jail_chdir.13.patch | 103 + .../patches/SA-21:05/jail_chdir.13.patch.asc | 16 + .../security/patches/SA-21:05/jail_chdir.patch | 98 + .../security/patches/SA-21:05/jail_chdir.patch.asc | 16 + website/static/security/patches/SA-21:06/xen.patch | 34 + .../static/security/patches/SA-21:06/xen.patch.asc | 16 + 27 files changed, 3759 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 95683bed85..10229d9ce6 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,22 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-21:06.xen" +date = "2021-02-24" + +[[advisories]] +name = "FreeBSD-SA-21:05.jail_chdir" +date = "2021-02-24" + +[[advisories]] +name = "FreeBSD-SA-21:04.jail_remove" +date = "2021-02-24" + +[[advisories]] +name = "FreeBSD-SA-21:03.pam_login_access" +date = "2021-02-24" + [[advisories]] name = "FreeBSD-SA-21:02.xenoom" date = "2021-01-29" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index eb4071d077..d6a17c8a9b 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,18 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-21:08.freebsd-update" +date = "2021-02-24" + +[[notices]] +name = "FreeBSD-EN-21:07.caroot" +date = "2021-02-24" + +[[notices]] +name = "FreeBSD-EN-21:06.microcode" +date = "2021-02-24" + [[notices]] name = "FreeBSD-EN-21:05.libatomic" date = "2021-01-29" diff --git a/website/static/security/advisories/FreeBSD-EN-21:06.microcode.asc b/website/static/security/advisories/FreeBSD-EN-21:06.microcode.asc new file mode 100644 index 0000000000..ae590c2ec7 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-21:06.microcode.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-21:06.microcode Errata Notice + The FreeBSD Project + +Topic: Boot-time microcode loading causes a boot hang + +Category: core +Module: x86 +Announced: 2021-02-24 +Affects: FreeBSD 12.2 +Corrected: 2021-02-19 20:57:34 UTC (stable/12, 12.2-STABLE) + 2021-02-24 01:43:50 UTC (releng/12.2, 12.2-RELEASE-p4) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +CPU microcode updates may include security fixes or mitigations. The +boot-time microcode loader applies CPU microcode as early in the boot process +as possible, minimizing the amount of code executed without updated +microcode. + +Microcode updates for many different CPU types are concatenated into one file +and loaded by the boot loader. After the kernel has determined the correct +update to apply, it frees the memory containing unused microcode updates, +keeping only the update for the CPU on which the kernel is running. + +II. Problem Description + +An interaction between the code which frees the unused portions of the +microcode file and the rest of the system can cause boot hangs. + +III. Impact + +The kernel may hang during boot if boot-time microcode updates are configured. + +IV. Workaround + +Systems not configured to load microcode at boot-time are unaffected. +Boot-time microcode loading is currently only supported with Intel CPUs. + +On systems that are configured to load microcode at boot-time, setting the +"debug.ucode.release" loader tunable to 0 will prevent the microcode update +file from being freed, working around the problem. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-21:06/microcode.patch +# fetch https://security.FreeBSD.org/patches/EN-21:06/microcode.patch.asc +# gpg --verify microcode.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r369310 +releng/12.2/ r369355 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:06.microcode.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15bwACgkQ05eS9J6n +5cLgbg//cottS8aQLl6YmSFs6JIyZwE4RutM2tSrkwkdQmuYLfba3tEyYs3R2iAK +x9y5bf9jFG5m7mUVr9QhEPRGrFlKTdTtW682T5ClLrZO1TIWwTUZlEC9omIpAPV3 +/A2tFFK253Zhufh2bKol8y8LwEle9MrO2xURj8KOo5dFa0HxSrMeCb+YlINV/iCy +hEJPuGvVWr+1rTP0hbKT+lHwtsgV2yB73FuG85p3FtJ4nr7OBlrzDnVgAKANvGTG +VTE/g/mqKfQlYqrNccw8Si/K5vh9PNiFjXiercSyMWV1eaYT6WU/a3x94RlISvR7 +6t56uWyJ9YTs3+E1bwplIZ/0qrCOvcgYqsv6ANu5/2gysFCNaNACDcAtidcly2UB +AL0hDjEQ7sAmsGmjAXfg7bbgUD/1h3saTmI3UmuWayZodMt1w6A0d/3A4bb/yZid +rF3gVvgmLBSjsgSXSqYtnS3N+af/rr01/tLaZh/yvO8d0EwFteyGar/dduSCoXbU +EK636ZNy+df7k6eCfqeh2/WixqSE7pKw2anQXmn11vHMBWDyuF919jMxrm64OdzT +sLlVrGOH8FHbUwnTsNUAfggqO7VUowvfRnYk+CzDElpXqn0Pteq8UCGABLmRKW9u +kISBhJwAjnnybyZ5/nvFaAN5UtvG5he0qhpbvArposyvqLdsgZ0= +=j/+s +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-21:07.caroot.asc b/website/static/security/advisories/FreeBSD-EN-21:07.caroot.asc new file mode 100644 index 0000000000..8919ef0524 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-21:07.caroot.asc @@ -0,0 +1,121 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-21:07.caroot Errata Notice + The FreeBSD Project + +Topic: Root certificate bundle update + +Category: core +Module: caroot +Announced: 2021-02-24 +Affects: FreeBSD 12.2 +Corrected: 2020-12-15 21:50:05 UTC (stable/12, 12.2-STABLE) + 2021-02-24 01:43:56 UTC (releng/12.2, 12.2-RELEASE-p4) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The root certificate bundle is the trust store that is used by OpenSSL +programs and libraries to aide in determining whether it should trust +a given SSL certificate. + +II. Problem Description + +Several certificates were removed from the bundle after the latest release +of FreeBSD 12.2. + +III. Impact + +Certificates are often removed from the root bundle due to a failure to +meet the standards established by Mozilla for being considered a trusted +Certificate Authority. + +IV. Workaround + +No workaround is available. Software that uses an internal trust store +is not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-21:07/caroot.patch +# fetch https://security.FreeBSD.org/patches/EN-21:07/caroot.patch.asc +# gpg --verify caroot.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all applications that may be using OpenSSL, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r368678 +releng/12.2/ r369357 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:07.caroot.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15ccACgkQ05eS9J6n +5cJUlRAAnoqim9czLfJS8ooYVSmB2Q3Td+vg+/QrS1ftwGBI3hXAwzFtlsCn4P35 +7k5tJQL3sVv3/nFfJ6/S5T832tVAfBgxFyzbu1C8zP2fYDLJ7uKKCtluoaHchB1y +KMOE11SPfdPtG0WeWUI1QEqCAhy91mZo1+B4zTMNazZ2AdLs7YSaovrBeYMcAR+K +xSGxvRndtX+4BvtGpehO3F+JMYsjpA06W3HP1gCsg9JnKo1whzrth83ar4V0aONS +Gcl90oyOy4IGHYPDm3vYahtKXmsO8FI3IpuuNDdkeL1KPbrUaCOvmnnTZWS9pAoT +S0DxUtHqfNz+iRuTLRO0/RIaopLADqx0fmDaRqGPy3MFUp1hevRCpPn8o5rtsjEK +hpsaWhhxrD3edGdu459JvM5cMT9Xr9/QxCneeJF96lgDP17IrB57RmNGu048ARbQ +Myb4G5+ypjnQJ4Y4ctGGlIJQcjfI7dVpSRXdj+qTLBdh2BCeL3d4UC267AgGA3mz +uspX/AxIcdHAvsiHGicbhV+tSw0LY1zPLCP9fgWcfDw8jyzY+Jrtj+B4TBsmTStu +qUpbq6WU7SJ4b7inV0RDmugyDAPFwROuc0u8+VSwI7Kt4VuzAPeSgvcythS88/47 +huwCdkRE5Gh6RFy+gTg0tSyv5znQarif6E6pmETSnB8Cr4IbaBk= +=LVRY +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-21:08.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-21:08.freebsd-update.asc new file mode 100644 index 0000000000..181200d684 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-21:08.freebsd-update.asc @@ -0,0 +1,126 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-21:08.freebsd-update Errata Notice + The FreeBSD Project + +Topic: freebsd-update passwd regeneration + +Category: core +Module: freebsd-update +Announced: 2021-02-24 +Affects: All supported versions of FreeBSD. +Corrected: 2020-12-27 20:50:53 UTC (stable/12, 12.2-STABLE) + 2021-02-24 01:43:52 UTC (releng/12.2, 12.2-RELEASE-p4) + 2020-12-27 20:52:37 UTC (stable/11, 11.4-STABLE) + 2021-02-24 01:41:49 UTC (releng/11.4, 11.4-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +freebsd-update provides binary updates for supported releases of FreeBSD on +amd64 and i386. + +II. Problem Description + +The existing logic to try and avoid regenerating passwd/login.conf files +relies on timestamp comparisons between old and new files, with the caveat +that it's comparing the installed with a timestamp that has been clobbered to +do the comparison. + +III. Impact + +User and login.conf changes coming in from a binary update may not properly +regenerate the databases for the changes to take effect. + +IV. Workaround + +To workaround this issue, one may regenerate databases manually with +pwd_mkdb(8) and cap_mkdb(1), e.g., + +pwd_mkdb -p /etc/master.passwd +cap_mkdb /etc/login.conf + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. No reboot is required. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-21:08/freebsd-update.patch +# fetch https://security.FreeBSD.org/patches/EN-21:08/freebsd-update.patch.asc +# gpg --verify freebsd-update.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r368873 +releng/12.2/ r369356 +stable/11/ r368824 +releng/11.4/ r369349 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:08.freebsd-update.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15cgACgkQ05eS9J6n +5cJRqA/+NMSpCafAMdn0T3ZFbZ+AwN3nHS5t/2UBBRnpUks0CWXR1XnZ7CqeTZUc +vCy3+QR93bQYDVCW7tNCOVs0bL7dVyyT9qLrmaJC1LFBtMAaM091A3gXdlhaL5I9 +mATPs/Qy3/HFDjeWWZDNeg0RsXhzEnM3I/FPhhWYkA/iO++5Og1VuBWFpuPGUZbG +VuRRVuazHzqVKjlQL7XUKHJk2PGJIXTBAZHQkBn4cwux9iDxjhowtvN3hMJSPTPI +GAu3YD1YrM7UIyguh3WieVOVuHtwUdj+mccw3iifn02crq93H2Wyj4nDDYaUQXz5 +Ab9HjuVGE/VjPMgfqRtouQieGTJIMCo8Y/4ytPe+Dhvtxrd4LYBHuYhZFfMFTITC +lAXUhtdF5l/PJWNG24BE3BWjPEgU3vwTtuL56PHcpO08lKgwzidvOtPV2hM2mbw/ +RRJWZ0AYe8q624NwpC96WUvW5DoBA2thBXxmUaQ4KBK06tiSg/jXzmG9em4WfaQH +z2aAeg+MURBaecTfl1gWZFdkOOwNcn089T/XhLh2FuzX4NGIQChvo1gEj7thsXQp +jWF+HUpxfZ9ZZIRuNCdAjCCAY2R3pkAZSGAUvi7TTqZfbPQtAb0SgT6QXj6OslCG +w4puBrBQl+R3g3dN1Q9NSDqmob1g8MrN7mUv8Nl7LFNpnWDh4Bs= +=C5YV +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-21:03.pam_login_access.asc b/website/static/security/advisories/FreeBSD-SA-21:03.pam_login_access.asc new file mode 100644 index 0000000000..2e7f0fac32 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-21:03.pam_login_access.asc @@ -0,0 +1,144 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-21:03.pam_login_access Security Advisory + The FreeBSD Project + +Topic: login.access fails to apply rules + +Category: core +Module: pam_login_access +Announced: 2021-02-24 +Affects: All supported versions of FreeBSD. +Corrected: 2021-02-24 01:20:53 UTC (stable/13, 13.0-STABLE) + 2021-02-24 01:42:42 UTC (releng/13.0, 13.0-BETA3-p1) + 2021-02-24 01:40:36 UTC (stable/12, 12.2-STABLE) + 2021-02-24 01:44:01 UTC (releng/12.2, 12.2-RELEASE-p4) + 2021-02-24 01:39:53 UTC (stable/11, 11.4-STABLE) + 2021-02-24 01:41:53 UTC (releng/11.4, 11.4-RELEASE-p8) +CVE Name: CVE-2020-25580 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +login.access(5) is a system configuration file allowing administrators to +define policy around system login access by specific users and groups. It +is implemented by a pam(3) module, pam_login_access(8), and is configured +by default for accesses via sshd(8), telnetd(8) and the system console. + +II. Problem Description + +A regression in the login.access(5) rule processor has the effect of causing +rules to fail to match even when they should not. This means that rules +denying access may be ignored. + +III. Impact + +The configuration in login.access(5) may not be applied, permitting login +access to users even when the system is configured to deny it. + +IV. Workaround + +No workaround is available. Systems not relying on login.access(5) to +enforce custom login policies are not affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-21:03/pam_login_access.patch +# fetch https://security.FreeBSD.org/patches/SA-21:03/pam_login_access.patch.asc +# gpg --verify pam_login_access.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/13/ 8cf559d6b9b4782bf67eb868ea480f47fc8c64a4 +releng/13.0/ f82cffcf2f44c909bec00d18549826f5d1d62205 +stable/12/ r369346 +releng/12.2/ r369359 +stable/11/ r369345 +releng/11.4/ r369351 +- ------------------------------------------------------------------------- + +[FreeBSD 13.x] +To see which files were modified by a particular revision, run the following +command in a checked out git repository, replacing NNNNNN with the revision +hash: + +# git show --stat NNNNNN + +Or visit the following URL, replace NNNNNN with the revision hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +[FreeBSD 11.x, FreeBSD 12.x] +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25580>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:03.pam_login_access.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n +5cKg1A/+MKN4Gf9ndHqjEUKiquiUGAE63RJC3wZRpN/GsxP2qLArX4QDOXLJxFZ3 ++T+u3lb0vxhhowvp23vFegmQbmWA6ZHI4M+NBsgMnPLTEWkwy4tRTfZDma1Q9j3k +RNPJFnzJ5HTKBXtZom/yKcxuXw1JGlqmxuJYfveBEBIN6PmH5nz3qwcRVV8j+gAM +1CtmnWpUVHm8aOqEGhOPr/eNRbAX14S/rdrtETmyyKm7WlYtiFD8GN5Px+eTTZcM +khZhyhlpvEPU0tLNahnDGiPBmlr8VpysT0+0ZdGsT6qMME8WQne3pvJeM2HaZs8a +ob35quA5tH241NjNBvoYmMj50/UOFS8RZKb6VILX7+PVsYOiuoGKR8ikr6n09SZs +LYThBcnWx5Bwcn08DXbd2bPn48aSFnbe0UMTzwrTC0L/5lp2FLv9j+bhwb3gF6W1 +9hmRHOb+Cvdxxqw/djFCQsxODC9qZzneRW012PTsEZcwB8UjvG+OEVahz5iOfiGC +tXNQ6rdbdTEr7QY+JCx0ngyHkQyDrOEJGd8UTIavr0CiuSdSWzi2zrppqZzvjBIp +MENgB7uWf0MvzkYbxqwlRFr+25MLPGPYNfcLR/NnoWZcEuXR9VUL9Nb+ozH1HGs2 +oziYLqXp3yvDGrHXdItOz5sVsgsZCZLLVD4SVI7Y31Ctxd6MlcM= +=WQ8j +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-21:04.jail_remove.asc b/website/static/security/advisories/FreeBSD-SA-21:04.jail_remove.asc new file mode 100644 index 0000000000..4420ba75c1 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-21:04.jail_remove.asc @@ -0,0 +1,161 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-21:04.jail_remove Security Advisory + The FreeBSD Project + +Topic: jail_remove(2) fails to kill all jailed processes + +Category: core +Module: jail +Announced: 2021-02-24 +Credits: Mateusz Guzik +Affects: All supported versions of FreeBSD. +Corrected: 2021-02-19 01:22:08 UTC (stable/13, 13.0-STABLE) + 2021-02-19 21:53:07 UTC (releng/13.0, 13.0-BETA3-p1) + 2021-02-19 21:46:31 UTC (stable/12, 12.2-STABLE) + 2021-02-24 01:43:39 UTC (releng/12.2, 12.2-RELEASE-p4) + 2021-02-19 21:50:26 UTC (stable/11, 11.4-STABLE) + 2021-02-24 01:41:41 UTC (releng/11.4, 11.4-RELEASE-p8) +CVE Name: CVE-2020-25581 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The jail(2) system call allows a system administrator to lock a process +and all of its descendants inside an environment with a very limited +ability to affect the system outside that environment, even for +processes with superuser privileges. It is an extension of, but +far more powerful than, the traditional UNIX chroot(2) system call. + +The jail_remove(2) system call, which was introduced in FreeBSD 8.0, +allows a non-jailed process to remove a jail, which includes terminating +all the processes running in that jail. + +II. Problem Description + +Due to a race condition in the jail_remove(2) implementation, it may fail +to kill some of the processes. + +III. Impact + +A process running inside a jail can avoid being killed during jail termination. +If a jail is subsequently started with the same root path, a lingering jailed +process may be able to exploit the window during which a devfs filesystem is +mounted but the jail's devfs ruleset has not been applied, to access device +nodes which are ordinarily inaccessible. If the process is privileged, it may +be able to escape the jail and gain full access to the system. + +IV. Workaround + +The problem is limited to scenarios where a jail containing an untrusted, +privileged process is stopped, and a jail is subsequently started with the same +root path. Users not running jails are not affected, and the problem can be +avoided by not starting a jail with the same path as a previously stopped jail. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.x] +# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.13.patch +# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.13.patch.asc +# gpg --verify jail_remove.13.patch.asc + +[FreeBSD 11.x, FreeBSD 12.x] +# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.patch +# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.patch.asc +# gpg --verify jail_remove.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/13/ 894360bacd42f021551f76518edd445f6d299f2e +releng/13.0/ 9f00cb5fa8a438e7b9efb2158f2e2edc730badd1 +stable/12/ r369312 +releng/12.2/ r369353 +stable/11/ r369313 +releng/11.4/ r369347 +- ------------------------------------------------------------------------- + +[FreeBSD 13.x] +To see which files were modified by a particular revision, run the following +command in a checked out git repository, replacing NNNNNN with the revision +hash: + +# git show --stat NNNNNN + +Or visit the following URL, replace NNNNNN with the revision hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +[FreeBSD 11.x, FreeBSD 12.x] +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25581>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:04.jail_remove.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n +5cK69Q//UI2SeHrGXytm6ScQzCIbFPlUXlhkCX51WSOJmr/LUXpF9bcUhW73qqov +/c70VGF876woMXHkbfYnCVdB4ETLIqTbGOl2aw/c8fuwrmFdtyeDEQ4SRRfWgdC4 +L6jEgMvB/fMO9e662k19f6RFXrdMspK4rOz3/aowTFbOEvD3Q0HpBUnFbWWg3Iiy +I190M0jbytFuZ2EJQ563bbRFFjEafZ51SKYz1FcR3cJAbVo/q75G3uDrjeNhnHxZ +0VqcTGHmF4Lh+RocUeW0v/1wHL8lBpoAKXmo4IL+FhFIR8fjVpKbGSm/IHSueatT +Tr6xOg93Ef+sETWVn9Jv26BAU06LEM/ZuXz+HS7T7DwnJJeKa3d74KTJnnGauE24 +67OO0i4Fok9Yyy2ArBH8V8mnzdW96dJyHrwdG0UUBddYlEyzArxkUQZyoIdj1Gb1 +fns8ndY8t5tky2fxHZG2UMBWwQKBtbMZY027JRylAJWExsG6wH7DcUJ51FpcnbNe +r3QvCB+ifOBGzFd2S4PduttxHW+xldWknah8513u9mRNCwnSFbY9ZXTpSeDmJaPo +hYAZ2WlDodkaJxbTTMbJ+4fr6wMkmWf32g5pRh+wDfMAd0Wvbzmu/+fUQVf54FNU +Qb91AAtVBuIE0J8jKqZxw+dtno+e6etmO1pXoZXvPHUr2N2BJmI= +=yxgm +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc b/website/static/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc new file mode 100644 index 0000000000..5112914c16 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc @@ -0,0 +1,162 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-21:05.jail_chdir Security Advisory + The FreeBSD Project + +Topic: jail_attach(2) relies on the caller to change the cwd + +Category: core +Module: jail +Announced: 2021-02-24 +Credits: Mateusz Guzik +Affects: All supported versions of FreeBSD. +Corrected: 2021-02-22 05:49:40 UTC (stable/13, 13.0-STABLE) + 2021-02-22 18:25:23 UTC (releng/13.0, 13.0-BETA3-p1) + 2021-02-22 19:03:43 UTC (stable/12, 12.2-STABLE) + 2021-02-24 01:43:47 UTC (releng/12.2, 12.2-RELEASE-p4) + 2021-02-22 19:08:27 UTC (stable/11, 11.4-STABLE) + 2021-02-24 01:41:46 UTC (releng/11.4, 11.4-RELEASE-p8) +CVE Name: CVE-2020-25582 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The jail(2) system call allows a system administrator to lock a process +and all of its descendants inside an environment with a very limited +ability to affect the system outside that environment, even for +processes with superuser privileges. It is an extension of, but +far more powerful than, the traditional UNIX chroot(2) system call. + +The jail_attach(2) system call, which was introduced in FreeBSD 5 +before 5.1-RELEASE, allows a non-jailed process to permanently move +into an existing jail. + +The ptrace(2) system call provides tracing and debugging facilities by +allowing one process (the tracing process) to watch and control +another (the traced process). + +II. Problem Description + +When a process, such as jexec(8) or killall(1), calls jail_attach(2) +to enter a jail, the jailed root can attach to it using ptrace(2) before +the current working directory is changed. + +III. Impact + +A process with superuser privileges running inside a jail could change +the root directory outside of the jail, thereby gaining full read and +writing access to all files and directories in the system. + +IV. Workaround + +No workaround is available, but systems that are not running jails with +untrusted root users are not vulnerable. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.x] +# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch +# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch.asc +# gpg --verify jail_chdir.13.patch.asc + +[FreeBSD 11.x, FreeBSD 12.x] +# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch +# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch.asc +# gpg --verify jail_chdir.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/13/ 5dbb407145c8128753fa30b695bc266dc671e433 +releng/13.0/ f3f042d850baaeda1bed19e00c2b3b578644b7e9 +stable/12/ r369334 +releng/12.2/ r369354 +stable/11/ r369335 +releng/11.4/ r369348 +- ------------------------------------------------------------------------- + +[FreeBSD 13.x] +To see which files were modified by a particular revision, run the following +command in a checked out git repository, replacing NNNNNN with the revision +hash: + +# git show --stat NNNNNN + +Or visit the following URL, replace NNNNNN with the revision hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +[FreeBSD 11.x, FreeBSD 12.x] +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25582>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:05.jail_chdir.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n +5cKj/xAAjbGc0bV3Ua8PuIFoDk7ADnwNotFV9PlXknWpeM4fXVVrt5EDncMfgHdw +XeKHOjzKNocOCtDioDhOcev9hhLeiYJjGHKrOQeKv34hJoufd6Wr0nvLgv/IVlMr +iZRVndvG1eBlnkwzlbx0xh1OY9zhffqjEiVkQNxXZV0iz/P2ndG0wP7N/bTG2QW3 +1mZmp4Fh9AsbjLPVGyutoLZXiypuroGPLQZrth3n7Cz8HklwyPzoAgPOYx7mMW3D +x1Th6kYIEx1aCe+ZBsgOuPsKeZ4SSB5o1w2F5y+mor/rslgQJAppNakBMmyDkSEI +UhEqLGNA469P0qonCHhGY83wfkuUedFTuWLrdnh97J7yr+WIn1ik1/jBXxv3+1kS +bKivBd/oj6hEFULE7r6T/UVomJjU+dPPBm+ewljJFVib+3zIQsbxauLdqUuqWlob +QUkQc4mu7fjVSAMyVbYVrjBAgwQJit0KfX+JSbEcLndmPv1RCK8wnxIf0zbmV2m/ +DMg9QGqwfcJkba6Y/JCAFZcl+HUCfEGUqZ7pEqGuwsp3wnMwO7Qg9IAEmDt8i2lf +6kaqAatJ5Reo/D+j6KJFvGCajnEfD0n+jDx8cdJFNY2Zzbo3/lRGd8dque5OEbTA +O0UZu2hRv5YMIagMf57WWzGrF+ACtgYbath710IKfVUfP/OiCIM= +=/d5L +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-21:06.xen.asc b/website/static/security/advisories/FreeBSD-SA-21:06.xen.asc new file mode 100644 index 0000000000..46ec778a4b --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-21:06.xen.asc @@ -0,0 +1,154 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-21:06.xen Security Advisory + The FreeBSD Project + +Topic: Xen grant mapping error handling issues + +Category: contrib *** 2987 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202102240553.11O5rogr087689>