From owner-svn-doc-all@FreeBSD.ORG Tue May 13 23:55:53 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DD275FFC; Tue, 13 May 2014 23:55:53 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C72602C45; Tue, 13 May 2014 23:55:53 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s4DNtrDq074002; Tue, 13 May 2014 23:55:53 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s4DNtqSZ073994; Tue, 13 May 2014 23:55:52 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201405132355.s4DNtqSZ073994@svn.freebsd.org> From: Xin LI Date: Tue, 13 May 2014 23:55:52 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44822 - in head/share: security/advisories security/patches/EN-14:03 security/patches/EN-14:04 security/patches/EN-14:05 security/patches/SA-14:10 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 23:55:54 -0000 Author: delphij Date: Tue May 13 23:55:52 2014 New Revision: 44822 URL: http://svnweb.freebsd.org/changeset/doc/44822 Log: Add the latest advisory and 3 new errata notices: Fix OpenSSL NULL pointer deference vulnerability. [SA-14:09] Add pkg bootstrapping, configuration and public keys. [EN-14:03] Improve build repeatability for kldxref(8). [EN-14:04] Fix data corruption with ciss(4). [EN-14:05] Added: head/share/security/advisories/FreeBSD-EN-14:03.pkg.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-14:04.kldxref.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-14:05.ciss.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:10.openssl.asc (contents, props changed) head/share/security/patches/EN-14:03/ head/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch (contents, props changed) head/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch.asc (contents, props changed) head/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch (contents, props changed) head/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch.asc (contents, props changed) head/share/security/patches/EN-14:03/pkg-en-releng-9.2.patch (contents, props changed) head/share/security/patches/EN-14:03/pkg-en-releng-9.2.patch.asc (contents, props changed) head/share/security/patches/EN-14:04/ head/share/security/patches/EN-14:04/kldxref.patch (contents, props changed) head/share/security/patches/EN-14:04/kldxref.patch.asc (contents, props changed) head/share/security/patches/EN-14:05/ head/share/security/patches/EN-14:05/ciss.patch (contents, props changed) head/share/security/patches/EN-14:05/ciss.patch.asc (contents, props changed) head/share/security/patches/SA-14:10/ head/share/security/patches/SA-14:10/openssl.patch (contents, props changed) head/share/security/patches/SA-14:10/openssl.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-14:03.pkg.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-14:03.pkg.asc Tue May 13 23:55:52 2014 (r44822) @@ -0,0 +1,180 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:03.pkg Errata Notice + The FreeBSD Project + +Topic: pkg bootstrapping, configuration and public keys + +Category: core, packages +Module: pkg +Announced: 2014-05-13 +Credits: Baptiste Daroussin, Bryan Drewery +Affects: All versions of FreeBSD prior to 10.0-RELEASE +Corrected: 2014-04-15 23:40:47 UTC (stable/8, 8.4-STABLE) + 2014-05-13 23:24:32 UTC (releng/8.4, 8.4-RELEASE-p10) + 2014-03-11 14:48:44 UTC (stable/9, 9.2-STABLE) + 2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6) + 2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The pkg(7) utility is the new package management tool for FreeBSD. The +FreeBSD project has provided official pkg(7) packages since October 2013 +and signed packages since the pkg-1.2 release in November 2013. The +signature checking requires known public keys to be installed locally. +The repository configuration must be installed as well. + +The base system also includes a pkg(7) bootstrap tool that installs the +latest real pkg(7) package. The bootstrap tool knows where to find the +official pkg(7) package but once that is installed the real pkg(7) will +not know where to find official packages, nor have the known public key +for signature checking. + +The bootstrap tool was also improved in 10.0-RELEASE to check the +signature on the pkg(7) package it is installing. + +II. Problem Description + +Only FreeBSD 10.0 has been released with the official repository +configuration, known public keys, and a bootstrap tool that checks the +signature of the pkg(7) package it is installing. + +To allow packages to be used on a system, the configuration must be +manually setup and keys securely fetched and installed to the proper +location. + +III. Impact + +Releases before 10.0 require manual configuration. Manually configuring the +pkg(7) signatures could result in insecurely installing the keys or leaving +the signature checking disabled. + +The bootstrap tool is not secure on releases prior to 10.0 due to not checking +the signature and could result in having an unofficial pkg(7) installed due to +MITM attacks. + +IV. Workaround + +To securely install pkg(7) on releases prior to 10.0, install it from ports +obtained from a secure portsnap checkout: + +# portsnap fetch extract +# echo "WITH_PKGNG=yes" >> /etc/make.conf +# make -C /usr/ports/ports-mgmt/pkg install clean + +If this is an existing system it may be converted to pkg(7) as well by running: + +# pkg2ng + +After this is done /usr/ports may be removed if no longer required. + +To workaround the configuration and keys being missed, apply the solution in +this Errata. + +V. Solution + +No solution is provided for pkg(7) bootstrap signature checking on releases prior +to 10.0. Upgrading to 10.0 or stable/9 after r263038 will suffice. + +To install the configuration and public key in a secure means, perform one of +the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.2] +# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.2.patch +# fetch http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.2.patch.asc +# gpg --verify pkg-en-releng-9.2.patch.asc + +[FreeBSD 9.1] +# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.1.patch +# fetch http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.1.patch.asc +# gpg --verify pkg-en-releng-9.1.patch.asc + +[FreeBSD 8.4] +# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch +# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch.asc +# gpg --verify pkg-en-releng-8.4.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch +# cd /usr/src/etc/pkg +# mkdir -p /etc/pkg /usr/share/keys/pkg/trusted /usr/share/keys/pkg/revoked +# make install +# cd /usr/src/share/keys/pkg +# make install + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r264519 +releng/8.4/ r265989 +stable/9/ r263937 (*) +releng/9.1/ r265988 +releng/9.2/ r265988 +- ------------------------------------------------------------------------- + +(*) The actual required changeset consists a series of changes, including +r263023,r258550,r263050,r263053 and r263937. + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:03.pkg.asc +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnPgsP/i1EV9g4qXg9v6HvakiFFKrv +51810uJe/Eo9iujDT1TpwuYJuFQPzkW+h4JRvapaSLAMxeLsYqxj8WDuKz0eU6sW +WjaPv6LZWUG91jHbFr3uEAgLLvkc86kMI/hfSmzq5FY7gsisEKoyfdraR2E63jtp +BFARxAq9hnddck5zZiX7wCOMtvCVrvrSsozft1p885AUra+Tg9F1RuUloS0CYddD +FtUb1dPMshkHlqHqC1wGzRfBVFgX7NnXfnxIi2St1ft0tEDKIL+HQgnjU2CwKbK7 +S9ioLYbbUhyo6edpS/4+y5gJ1kVLvlelY4myBHUkSOMJrsxoIBCTuXjdnO9PL5gr +qpS9R6TQEMF5auEG5aIOwfu5t8wqczAfC4zVzbm4UPakRYPFS0NfvkDGW2Gno7Yh +iOur/JFLUOqbV9i8UwssS8OzG0cr8EzbZ3iLkVPqt1Cxuxxpx8+NYiYV3F0PMxB8 +iImoOD1BY0lS3x0gqgeZb5ssBk988aVq1cmbrUuriHuKLK/uvSaFHlGXprQyQmTn +4FEFmMNTCSMbYy3J2daEajUroiZVcBEjORPFR8QYtncRgbzB6u/AjVIo+3Uk/0hj +paC8dvBikmT7ity3b7YoOvJIJn62XVqrq9srkYowkDuLJ1E8zQqmR2eZUOmf5vG1 +u3zAXa3xup1ginA9Wi6O +=UI84 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-14:04.kldxref.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-14:04.kldxref.asc Tue May 13 23:55:52 2014 (r44822) @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:04.kldxref Errata Notice + The FreeBSD Project + +Topic: Build repeatability for kldxref(8) + +Category: core +Module: kldxref +Announced: 2014-05-13 +Credits: Jilles Tjoelker +Affects: All versions of FreeBSD prior to 10.0-RELEASE. +Corrected: 2014-05-13 23:35:29 UTC (stable/8, 8.4-STABLE) + 2014-05-13 23:24:32 UTC (releng/8.4, 8.4-RELEASE-p10) + 2013-12-23 22:38:41 UTC (stable/9, 9.2-STABLE) + 2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6) + 2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The kldxref utility is used to generate hint files which list modules, their +version numbers, and the files that contain them. These hints are used by +the kernel loader to determine where to find a particular KLD module. + +II. Problem Description + +Previous versions of kldxref(8) do not use an ordered list of files when +generating the hints file. The result of kldxref(8) is equivalent but not +the same if file system layout have been changed. + +III. Impact + +The generated hint files can be different across different builds, making +unnecessary downloads for binary patch files. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-14:04/kldxref.patch +# fetch http://security.FreeBSD.org/patches/EN-14:04/kldxref.patch.asc +# gpg --verify kldxref.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r265990 +releng/8.4/ r265989 +stable/9/ r259799 +releng/9.1/ r265988 +releng/9.2/ r265988 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:04.kldxref.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnmPgP/iPAKX2lIGwRXkrYFbNPEBSz ++Tehkgw/ReNG0iaAJql/p0LrxyGUoCwE2rpTJxxC8KB9X8Eq74DhjSNpdYaE12E2 +YFMyIyAb1b6wqU34Q7DsR9oPhqIcb9yET2dEg+s5NVSWfC7AMWdvvaJjjxtLgG4L +M9yksDAKs3AJOHEVEtluy7Do8A5W/6b5SHXENbG+AUUBtwnDBKcs9riXic/TQ1WB +vJzHwAJVznQ03bnxqjuG+gZoej6xUHusX+ih87ioKiJrcZ/5szq2C6LIUnRnAA66 +6b/szBJ3gRBweOKeopESIcZfwaLCd53EX9/r9vqAfXK6+3uqoIXzkZCyzo+cgSwa ++88SmZ3/4dao24JPoLbVupIyU0CJjmoLsV9jVCrC/fbkUFTxq7Cgbxeai3rmrpXC +p11FXPJd4cOgwuQYUw3rowtoq8z8Wn3PI073SzwT2OZg4SgXRUn+FzGpMWwqbWoa +1idQ9KSM/pFkoa7bdK5S7mYtp7jU9HQeiTXZYYF1S3URr2XpE1vyUFVOuDJpGkkW +KIT/hdy02wGzPPGjQoFkSR2KpUmJr2zHhVSUdt7a8vvYhbZBR21sBIUNKSoWkYtC +2CQXF4pFBHO/i79RiEU+2E1CKWpsqoHnvnKNRq3Bp54aaU9xa4YcRwRJ7lj9RALm ++igNrZJMo3yw3gs89uGp +=W4to +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-14:05.ciss.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-14:05.ciss.asc Tue May 13 23:55:52 2014 (r44822) @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:05.ciss Errata Notice + The FreeBSD Project + +Topic: data corruption with ciss(4) + +Category: core +Module: ciss +Announced: 2014-05-13 +Credits: Sean Bruno +Affects: FreeBSD 10.x and FreeBSD 9.x +Corrected: 2014-04-15 17:52:22 UTC (stable/9, 9.2-STABLE) + 2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6) + 2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13) + 2014-04-15 17:49:47 UTC (stable/10, 10.0-STABLE) + 2014-05-13 23:22:28 UTC (releng/10.0, 10.0-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The ciss driver supports HP Smart Array line of hardware RAID controllers. + +II. Problem Description + +There is a programming error discovered in the ciss(4) driver, where a missing +lock can trigger a failed assertion when the volume state changes, such as +disk failure or a disk rebuild. + +III. Impact + +Systems using the ciss(4) driver may experience system crashes or data +corruption when the volume state change. + +IV. Workaround + +No workaround is available, but systems that do not use ciss(4) devices are +not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-14:05/ciss.patch +# fetch http://security.FreeBSD.org/patches/EN-14:05/ciss.patch.asc +# gpg --verify ciss-10.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r264511 +releng/9.1/ r265988 +releng/9.2/ r265988 +stable/10/ r264510 +releng/10.0/ r265987 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:05.ciss.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnNqAQAJCfdCBubWSDRO/dsSaqK6yT +bnPY4Xly523ABRCQySe0vajSIK1qqfE0bAmhYa/7BTMqyJKz0BRhx819D8SiWNS9 +Hdy4yU/hOjBkbT6KAtpBaSUNXX4ODWaNbd78c+uDSvj9UeQgrunAQC7OJR6iYWuq +25fBUXgovSr4g9puNyBs8sH+c7IzbG4HvhoPrjRDwdasEyCBzx6RggpnxusfVsd9 +91Eg/WPG3hIJW6kaHOWWeVwz4vCRZjv0u7myeJBcAa7gcwDX/J2DHeDrG60O3BNY +/fZT2UcfDxE0rEVuVnV3Vc0XkIQjuNk7G9SkGjH4Zdx+I34UT05cxU5ZrdpKNiGL +fjbo4H/KBML4agRGAPzeo3KU3rxOUmss+mh7Mu+CVoZP5uQUr1sEUkfQ+FkJjjbv +es47Ij6ZmfGyUPuVKVCW34bXm6Ieyc0QZ10kRv8paOmPsWBA+WYWGibEhvwp5v0p +AHdlGGO/FpOac4h/YEqOh6ryN8QldjCI+SCqkfs38DjeTX5IWecgax586oH7BpJm +RGc/fgx3YSO8tmMaTwKZm5VVlujsld6t95XrA2dGWOhiWcRsoWGs+SaUTNf5Y0Te +k2vD7tMsk37PG4jbp7pk4FH2Mfb9KRHe82ebdOnkOj4C5kWIB8FwYJyMIjDl3C4r +OdXZDrbyKh/swjJZJIuP +=orSF +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:10.openssl.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:10.openssl.asc Tue May 13 23:55:52 2014 (r44822) @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:10.openssl Security Advisory + The FreeBSD Project + +Topic: OpenSSL NULL pointer deference vulnerability + +Category: contrib +Module: openssl +Announced: 2014-05-13 +Affects: FreeBSD 10.x. +Corrected: 2014-05-13 23:19:16 UTC (stable/10, 10.0-STABLE) + 2014-05-13 23:22:28 UTC (releng/10.0, 10.0-RELEASE-p3) +CVE Name: CVE-2014-0198 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) +and Transport Layer Security (TLS v1) protocols as well as a full-strength +general purpose cryptography library. + +The TLS protocol supports an alert protocol which can be used to signal the +other party with certain failures in the protocol context that may require +immediate termination of the connection. + +II. Problem Description + +An attacker can trigger generation of an SSL alert which could cause a null +pointer deference. + +III. Impact + +An attacker may be able to cause a service process that uses OpenSSL to crash, +which can be used in a denial-of-service attack. + +IV. Workaround + +No workaround is available, but systems that do not use OpenSSL to implement +the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) +protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process +to handle multiple SSL connections, are not vulnerable. + +The FreeBSD base system service daemons and utilities do not use the +SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this +mode to reduce their memory footprint and may therefore be affected by this +issue. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch +# fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in . + +Restart all deamons using the library, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r265986 +releng/10.0/ r265987 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnNb4QAODp1Pxk3GlTwlptWQkC+DJb +bwd2RRtkvkz677JIbdtyM7b5POgUih/NtAF9Yyy/pg8IJcSRiv0f7F5L+maV9nee +KGb27zizWOgIqor6HhRAv2OniVN271OfoyCkt0xRmigBR6dQ80iBVuCk6McvxvjL +5Yfw8wtfF8zAo5p1d4V3EEPOIVPwgJ31YnB/sVv+SyV6Ldl5DS0Gp1Cm9KjvaJUI +CUIljIaH6AFuzs671V4DpuFPtFPIsvGUhEdpf6+ypVJN1J/D+BNRvoIX1zxou4Kf +34qB6cs/LlyBKCPctK/qLU7UScNsuUItpWrw5ESHFHdgsTr8XA9POxU72wlCRCoQ +T2A6zIqPQRgCWfrPnmJNwLN9riMQGc2oFBXd19iITyc8/7OcXAFnzIy+zu++jZp6 +rMwGIUCg5UKkSGVWnoYyS/1SQRYqi4MzUqC/AwpQHKoE5CqUzVCJ7zGTFcsie0o4 +wfWoFlkgbNl0Attn4HLuXncjvGVCMeWqUERKBU7xIxC1D5PKXF5QmCUqlZrddBaw +ATIFsPEopu2bX/+sbgcGKSF5WAWwdT92vIgarjW3UkKDYihRNKusrOwp3sue7Iw+ +QIweOaJLqpSnfQ3me62I3fWYjRwceeASeTx7dYdxrK1Dx5DnlN8gGwwhl/7cvoWe +Xm6DqYXeQRsIxZ7Ng/PO +=4EYM +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch Tue May 13 23:55:52 2014 (r44822) @@ -0,0 +1,232 @@ +Index: etc/Makefile +=================================================================== +--- etc/Makefile (revision 265457) ++++ etc/Makefile (working copy) +@@ -172,6 +172,7 @@ distribution: + ${_+_}cd ${.CURDIR}/devd; ${MAKE} install + ${_+_}cd ${.CURDIR}/gss; ${MAKE} install + ${_+_}cd ${.CURDIR}/periodic; ${MAKE} install ++ ${_+_}cd ${.CURDIR}/pkg; ${MAKE} install + ${_+_}cd ${.CURDIR}/rc.d; ${MAKE} install + ${_+_}cd ${.CURDIR}/../gnu/usr.bin/send-pr; ${MAKE} etc-gnats-freefall + ${_+_}cd ${.CURDIR}/../share/termcap; ${MAKE} etc-termcap +Index: etc/mtree/BSD.root.dist +=================================================================== +--- etc/mtree/BSD.root.dist (revision 265457) ++++ etc/mtree/BSD.root.dist (working copy) +@@ -52,6 +52,8 @@ + weekly + .. + .. ++ pkg ++ .. + ppp + .. + rc.d +Index: etc/mtree/BSD.usr.dist +=================================================================== +--- etc/mtree/BSD.usr.dist (revision 265457) ++++ etc/mtree/BSD.usr.dist (working copy) +@@ -340,6 +340,14 @@ + .. + info + .. ++ keys ++ pkg ++ revoked ++ .. ++ trusted ++ .. ++ .. ++ .. + locale + UTF-8 + .. +Index: etc/pkg/FreeBSD.conf +=================================================================== +--- etc/pkg/FreeBSD.conf (revision 0) ++++ etc/pkg/FreeBSD.conf (working copy) +@@ -0,0 +1,16 @@ ++# $FreeBSD$ ++# ++# To disable this repository, instead of modifying or removing this file, ++# create a /usr/local/etc/pkg/repos/FreeBSD.conf file: ++# ++# mkdir -p /usr/local/etc/pkg/repos ++# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf ++# ++ ++FreeBSD: { ++ url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", ++ mirror_type: "srv", ++ signature_type: "fingerprints", ++ fingerprints: "/usr/share/keys/pkg", ++ enabled: yes ++} +Index: etc/pkg/Makefile +=================================================================== +--- etc/pkg/Makefile (revision 0) ++++ etc/pkg/Makefile (working copy) +@@ -0,0 +1,10 @@ ++# $FreeBSD$ ++ ++NO_OBJ= ++ ++FILES= FreeBSD.conf ++ ++FILESDIR= /etc/pkg ++FILESMODE= 644 ++ ++.include +Index: share/Makefile +=================================================================== +--- share/Makefile (revision 265457) ++++ share/Makefile (working copy) +@@ -9,6 +9,7 @@ SUBDIR= ${_colldef} \ + ${_dict} \ + ${_doc} \ + ${_examples} \ ++ keys \ + ${_man} \ + ${_me} \ + misc \ +Index: share/keys/Makefile +=================================================================== +--- share/keys/Makefile (revision 0) ++++ share/keys/Makefile (working copy) +@@ -0,0 +1,5 @@ ++# $FreeBSD$ ++ ++SUBDIR= pkg ++ ++.include +Index: share/keys/pkg/Makefile +=================================================================== +--- share/keys/pkg/Makefile (revision 0) ++++ share/keys/pkg/Makefile (working copy) +@@ -0,0 +1,5 @@ ++# $FreeBSD$ ++ ++SUBDIR= trusted ++ ++.include +Index: share/keys/pkg/trusted/Makefile +=================================================================== +--- share/keys/pkg/trusted/Makefile (revision 0) ++++ share/keys/pkg/trusted/Makefile (working copy) +@@ -0,0 +1,10 @@ ++# $FreeBSD$ ++ ++NO_OBJ= ++ ++FILES= pkg.freebsd.org.2013102301 ++ ++FILESDIR= /usr/share/keys/pkg/trusted ++FILESMODE= 644 ++ ++.include +Index: share/keys/pkg/trusted/pkg.freebsd.org.2013102301 +=================================================================== +--- share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (revision 0) ++++ share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (working copy) +@@ -0,0 +1,4 @@ ++# $FreeBSD$ ++ ++function: "sha256" ++fingerprint: "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438" +Index: share/man/man7/hier.7 +=================================================================== +--- share/man/man7/hier.7 (revision 265457) ++++ share/man/man7/hier.7 (working copy) +@@ -32,7 +32,7 @@ + .\" @(#)hier.7 8.1 (Berkeley) 6/5/93 + .\" $FreeBSD$ + .\" +-.Dd May 25, 2008 ++.Dd October 29, 2013 + .Dt HIER 7 + .Os + .Sh NAME +@@ -546,6 +546,16 @@ ASCII text files used by various games + device description file for device name + .It Pa info/ + GNU Info hypertext system ++.It Pa keys/ ++known trusted and revoked keys. ++.Bl -tag -width ".Pa keys/pkg/" -compact ++.It Pa keys/pkg/ ++fingerprints for ++.Xr pkg 7 ++and ++.Xr pkg 8 ++.El ++.Pp + .It Pa locale/ + localization files; + see +Index: usr.sbin/pkg/pkg.c +=================================================================== +--- usr.sbin/pkg/pkg.c (revision 265457) ++++ usr.sbin/pkg/pkg.c (working copy) +@@ -284,13 +284,10 @@ bootstrap_pkg(void) + { + struct url *u; + FILE *remote; +- FILE *config; +- char *site; + struct dns_srvinfo *mirrors, *current; + /* To store _https._tcp. + hostname + \0 */ + char zone[MAXHOSTNAMELEN + 13]; + char url[MAXPATHLEN]; +- char conf[MAXPATHLEN]; + char abi[BUFSIZ]; + char tmppkg[MAXPATHLEN]; + char buf[10240]; +@@ -306,7 +303,6 @@ bootstrap_pkg(void) + max_retry = 3; + ret = -1; + remote = NULL; +- config = NULL; + current = mirrors = NULL; + + printf("Bootstrapping pkg please wait\n"); +@@ -387,26 +383,6 @@ bootstrap_pkg(void) + if ((ret = extract_pkg_static(fd, pkgstatic, MAXPATHLEN)) == 0) + ret = install_pkg_static(pkgstatic, tmppkg); + +- snprintf(conf, MAXPATHLEN, "%s/etc/pkg.conf", +- getenv("LOCALBASE") ? getenv("LOCALBASE") : _LOCALBASE); +- +- if (access(conf, R_OK) == -1) { +- site = strrchr(url, '/'); +- if (site == NULL) +- goto cleanup; +- site[0] = '\0'; +- site = strrchr(url, '/'); +- if (site == NULL) +- goto cleanup; +- site[0] = '\0'; +- +- config = fopen(conf, "w+"); +- if (config == NULL) +- goto cleanup; +- fprintf(config, "packagesite: %s\n", url); +- fclose(config); +- } +- + goto cleanup; + + fetchfail: +@@ -423,7 +399,11 @@ cleanup: + + static const char confirmation_message[] = + "The package management tool is not yet installed on your system.\n" +-"Do you want to fetch and install it now? [y/N]: "; ++"The mechanism for doing this is not secure on FreeBSD 8. To securely install\n" ++"pkg(8), use ports from a portsnap checkout:\n" ++" # portsnap fetch extract\n" ++" # make -C /usr/ports/ports-mgmt/pkg install clean\n" ++"Do you still want to fetch and install it now? [y/N]: "; + + static int + pkg_query_yes_no(void) Added: head/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch.asc Tue May 13 23:55:52 2014 (r44822) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAABCgAGBQJTcq56AAoJEO1n7NZdz2rn7uAP/Aj/qkmd/B1E5OcnVndzFdVV +wk7qiDIfo3SckWu0Mz3j45qKgZLYvPgnY4ensL8IuOT2RzLVj9PP9Bqy3aEZquPf +6kYCOGDI8B2wZm8o6aRYPlRAY97OvrEucGFWk6kQCCpak4HmntqvIBmaTqeZ7tKV +lohRBdVNBvYdO89IK3K4hbVReVP2D2qg6U6lZuj0RNLKjVTD8NtUqJMkwQQJTYK9 +3BAsiqZM7QFo/E85aP11/Ox14SYov4VQ5zONl2OhshbL4dANrVUGZxh2/ecaN2pv +k+TGCHzd/o6fdopTawZTUqBLRt+Pbj5VCCVWqxszoA5xfIsLmFt9hNTGtzNnevVZ +WjKDba4nyzQoEwig58jbMIKV0eKjvOOmvOAK80EBd9gAOftcsNiFMIuDBkAy0z6j +1mHlQZJXcg4PjOgmzGgZjQrTOiwfGpsisbBnmOhMuBPhrglv7n5QCg5k91i8EBqQ +AWpTY+UcxuFKn2CkEjubppwxf9kqBvK7ClO8gpsJxERjCVPkop8hJfiw9EG+Jzkp +fp4pIeajT+Dj6pAS+Y64tjkClPVTDKEK0H2Ut3d44DO8RUrAgXSWwgqRWNeQQvcM +U4HIuY8+Qt4Ue8NECGYlpJ/RvsoKROiM0hcQH7auGOqsUkdr9k9kA4ICABy43SK6 +KO7yxSd7x7hFFuUVMpV3 +=pIs3 +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch Tue May 13 23:55:52 2014 (r44822) @@ -0,0 +1,229 @@ +Index: etc/Makefile +=================================================================== +--- etc/Makefile (revision 265457) ++++ etc/Makefile (working copy) +@@ -205,6 +205,7 @@ distribution: + ${_+_}cd ${.CURDIR}/devd; ${MAKE} install + ${_+_}cd ${.CURDIR}/gss; ${MAKE} install + ${_+_}cd ${.CURDIR}/periodic; ${MAKE} install ++ ${_+_}cd ${.CURDIR}/pkg; ${MAKE} install + ${_+_}cd ${.CURDIR}/rc.d; ${MAKE} install + ${_+_}cd ${.CURDIR}/../gnu/usr.bin/send-pr; ${MAKE} etc-gnats-freefall + ${_+_}cd ${.CURDIR}/../share/termcap; ${MAKE} etc-termcap +Index: etc/mtree/BSD.root.dist +=================================================================== +--- etc/mtree/BSD.root.dist (revision 265457) ++++ etc/mtree/BSD.root.dist (working copy) +@@ -52,6 +52,8 @@ + weekly + .. + .. ++ pkg ++ .. + ppp + .. + rc.d +Index: etc/mtree/BSD.usr.dist +=================================================================== +--- etc/mtree/BSD.usr.dist (revision 265457) ++++ etc/mtree/BSD.usr.dist (working copy) +@@ -398,6 +398,14 @@ + .. + .. + .. ++ keys ++ pkg ++ revoked ++ .. ++ trusted ++ .. ++ .. ++ .. + locale + UTF-8 + .. +Index: etc/pkg/FreeBSD.conf +=================================================================== +--- etc/pkg/FreeBSD.conf (revision 0) ++++ etc/pkg/FreeBSD.conf (working copy) +@@ -0,0 +1,16 @@ ++# $FreeBSD$ ++# ++# To disable this repository, instead of modifying or removing this file, ++# create a /usr/local/etc/pkg/repos/FreeBSD.conf file: ++# ++# mkdir -p /usr/local/etc/pkg/repos ++# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf ++# ++ ++FreeBSD: { ++ url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", ++ mirror_type: "srv", ++ signature_type: "fingerprints", ++ fingerprints: "/usr/share/keys/pkg", ++ enabled: yes ++} +Index: etc/pkg/Makefile +=================================================================== +--- etc/pkg/Makefile (revision 0) ++++ etc/pkg/Makefile (working copy) +@@ -0,0 +1,10 @@ ++# $FreeBSD$ ++ ++NO_OBJ= ++ ++FILES= FreeBSD.conf ++ ++FILESDIR= /etc/pkg ++FILESMODE= 644 ++ ++.include +Index: share/Makefile +=================================================================== +--- share/Makefile (revision 265457) ++++ share/Makefile (working copy) +@@ -10,6 +10,7 @@ SUBDIR= ${_colldef} \ + ${_doc} \ + ${_examples} \ + ${_i18n} \ ++ keys \ + ${_man} \ + ${_me} \ + misc \ +Index: share/keys/Makefile +=================================================================== +--- share/keys/Makefile (revision 0) ++++ share/keys/Makefile (working copy) +@@ -0,0 +1,5 @@ ++# $FreeBSD$ ++ ++SUBDIR= pkg ++ ++.include +Index: share/keys/pkg/Makefile +=================================================================== +--- share/keys/pkg/Makefile (revision 0) ++++ share/keys/pkg/Makefile (working copy) +@@ -0,0 +1,5 @@ ++# $FreeBSD$ ++ ++SUBDIR= trusted ++ ++.include +Index: share/keys/pkg/trusted/Makefile +=================================================================== +--- share/keys/pkg/trusted/Makefile (revision 0) ++++ share/keys/pkg/trusted/Makefile (working copy) +@@ -0,0 +1,10 @@ ++# $FreeBSD$ ++ ++NO_OBJ= ++ ++FILES= pkg.freebsd.org.2013102301 ++ ++FILESDIR= /usr/share/keys/pkg/trusted ++FILESMODE= 644 ++ ++.include +Index: share/keys/pkg/trusted/pkg.freebsd.org.2013102301 +=================================================================== +--- share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (revision 0) ++++ share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (working copy) +@@ -0,0 +1,4 @@ ++# $FreeBSD$ ++ ++function: "sha256" ++fingerprint: "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438" +Index: share/man/man7/hier.7 +=================================================================== +--- share/man/man7/hier.7 (revision 265457) ++++ share/man/man7/hier.7 (working copy) +@@ -32,7 +32,7 @@ + .\" @(#)hier.7 8.1 (Berkeley) 6/5/93 + .\" $FreeBSD$ + .\" +-.Dd May 25, 2008 ++.Dd October 29, 2013 + .Dt HIER 7 + .Os + .Sh NAME +@@ -546,6 +546,16 @@ ASCII text files used by various games + device description file for device name + .It Pa info/ + GNU Info hypertext system ++.It Pa keys/ ++known trusted and revoked keys. ++.Bl -tag -width ".Pa keys/pkg/" -compact *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***