From owner-svn-doc-head@freebsd.org Wed Mar 16 23:12:08 2016 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43539AD2B6F; Wed, 16 Mar 2016 23:12:08 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1DEB690F; Wed, 16 Mar 2016 23:12:08 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u2GNC7xM058241; Wed, 16 Mar 2016 23:12:07 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u2GNC7Zh058239; Wed, 16 Mar 2016 23:12:07 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201603162312.u2GNC7Zh058239@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Wed, 16 Mar 2016 23:12:07 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r48425 - head/share/security/advisories X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Mar 2016 23:12:08 -0000 Author: glebius (src committer) Date: Wed Mar 16 23:12:06 2016 New Revision: 48425 URL: https://svnweb.freebsd.org/changeset/doc/48425 Log: Oops, rename ENs properly. Added: head/share/security/advisories/FreeBSD-EN-16:04.hyperv.asc - copied unchanged from r48424, head/share/security/advisories/FreeBSD-16:04.hyperv.asc head/share/security/advisories/FreeBSD-EN-16:05.hv_netvsc.asc - copied unchanged from r48424, head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc Deleted: head/share/security/advisories/FreeBSD-16:04.hyperv.asc head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc Copied: head/share/security/advisories/FreeBSD-EN-16:04.hyperv.asc (from r48424, head/share/security/advisories/FreeBSD-16:04.hyperv.asc) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-16:04.hyperv.asc Wed Mar 16 23:12:06 2016 (r48425, copy of r48424, head/share/security/advisories/FreeBSD-16:04.hyperv.asc) @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:04.hyperv Errata Notice + The FreeBSD Project + +Topic: Hyper-V KVP (Key-Value Pair) daemon indefinite sleep + +Category: core +Module: hyperv +Announced: 2016-03-16 +Credits: Microsoft Open Source Technology Center(OSTC) +Affects: FreeBSD 10.x +Corrected: 2015-12-18 14:52:12 UTC (stable/10, 10.2-STABLE) + 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14) + 2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +Hyper-V is a native hypervisor running on Windows operating system. It can +run FreeBSD 10.x as guest in virtual machine. + +Data Exchange is an integration service, also known as a key-value pair or +KVP, that can be used to share information between virtual machines and the +Hyper-V host. For more information, see +. + +II. Problem Description + +The KVP driver code doesn't implement the KVP device's .d_poll callback +correctly: when there is no data available to the user-mode KVP daemon, the +driver forgets to remember the daemon and wake up the daemon later. As a +result, the daemon can't be woken up in a predictable period of time, and +the host side's KVP query can hang for an unexpected period of time and get +timeout, and finally the host can think the VM is irresponsive or unhealthy. + +III. Impact + +When a FreeBSD 10.x virtual machine runs on Hyper-V, the host may not get the +expected response of a KVP query. When a virtual machine runs on Azure, the +host may try to recover the "irresponsive" virtual machine by killing it and +starting it later, causing unnecessary virtual machine downtime. + +IV. Workaround + +Don't run the KVP daemon on a virtual machine. With this, the host will know +that KVP functionality is not working at all, so the host won't try to send KVP +query to virtual machine. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. Reboot is required. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Reboot is required. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-16:04/hyperv.patch +# fetch https://security.FreeBSD.org/patches/EN-16:04/hyperv.patch.asc +# gpg --verify hyperv.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r292438 +releng/10.1/ r296954 +releng/10.2/ r296955 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +. + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJW6eQmAAoJEO1n7NZdz2rnq+sQAOOnGB826xMwM5xW7a2rnOKV +SDPzC0XXkHhRltJWSaIBi+nhKusMQcuYEaZDG8P5pvugpJfBPDhv2THu9ofEhvB4 +88iT4sFOKi20iXJxrZQM5UT9tPaDoWUCQ9isr4HseotF5Hda4onplGK3/VXq3xGF +tGjgOfnHbhQbXAf7JZwCfjUeIyYYY2VGBscSwDF/AS0Z9vUEudNKnPEZcC5V19LJ +8vZHjknNpchklnaT0UFZwrpFEgpmSU5rtYlH6FbfWYbspqRjEk1Ia2wkasB9im2z +v2vc+qNOqgOMATgatix0yqzXnBkOqi+5ra0MUipXG89l3Yxvekv0mvqQFYRWN7MN +fjPOnP9i2hjoKbbPEArEmYffOFMjxrOTgzLYVxXntOTUFMgGcUXltgjlo/Ov4Fm0 +CfDIDUBlyPlDkemPYiaRinyLim4M3TOll2M6ucnonFuE//sLfU/DEnlz8pf+yJg3 +jeJ7Pi6YKe+YUrTj2kL8shoPWjg00oHCIZua9nFhdHwNURX5XuoPlf84qxeSmumL +lbQ8Dq82zkECJmJe7fGshUyPGlXqN+ValGYtZkuQwS/vq1cxRomvO1naZQDqJuVA +Z15SW63CnsFIYJvK0Dd0v0i3Nw0WYHRRJ5nFo18WIzHs2FZguib1wqiN6D1oRnrH +0YgK0KZFzwWufB7YB0TG +=4BjO +-----END PGP SIGNATURE----- Copied: head/share/security/advisories/FreeBSD-EN-16:05.hv_netvsc.asc (from r48424, head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-16:05.hv_netvsc.asc Wed Mar 16 23:12:06 2016 (r48425, copy of r48424, head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc) @@ -0,0 +1,129 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:05.hv_netvsc Errata Notice + The FreeBSD Project + +Topic: hv_netvsc(4) incorrect TCP/IP checksums + +Category: core +Module: hyperv +Announced: 2016-03-16 +Credits: Larry Baird +Affects: FreeBSD 10.2 +Corrected: 2015-12-18 14:56:49 UTC (stable/10, 10.2-STABLE) + 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +Hyper-V is a native hypervisor running on Windows operating system. It can +run FreeBSD 10.x as guest in virtual machine. + +When FreeBSD guest runs on Hyper-V, to get the best network performance, +it usually uses the Hyper-V synthetic network device. The driver of the +network device is called hv_netvsc(4). Since FreeBSD 10.2-RELEASE the +driver supports TCP segmentation and TCP/IP checksum offloading. + +II. Problem Description + +Together with the TCP segmentation and TCP/IP checksum offloading a regression +was introduced. The driver checked the inbound checksum flags when deciding +whether to process checksums or not, while it should have checked the outbound +flags only. + +III. Impact + +If the guest running on Hyper-V is configured as a gateway, the host will +silently drop certain packets from the guest. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. Reboot is required. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Reboot is required. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-16:05/hv_netvsc.patch +# fetch https://security.FreeBSD.org/patches/EN-16:05/hv_netvsc.patch.asc +# gpg --verify hv_netvsc.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r292439 +releng/10.2/ r296955 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJW6eQyAAoJEO1n7NZdz2rnOdQQANX3NYcoY1uMJEJcOMgfKp52 +OUKUriPdJjEr94Yq/QSGaIp5WyZ5O/hu89LI45DlJMHGxQYJrpQuM1Cyf2QS770u +yrmfTkcJpqmwJpr4pOqQuYUHuAXkUsOeOysOO/2ccP7USFWqdWbgLotbq3JAFwIz +cnPwteAawZ3BZLaDRXgsr9Hhqn5d++YIsYC3mhyGNJJI6LlNG/ihba2Vd8lDu9hv +UVv0WW8yfv851jEv/vhCQmhHcHcIAhzZGLn47Shi4s0833icvPeU+Xc/cpL/wifX +vCPKA53DqdsNCsPQbbfzgCgoxV1iC3zb/4EOUAIpCInS00N4YQeQiJePH7Im56rc +y6LsccIf1otr8xCuRuWsUVXuzrmtDBKDzE2gwMx+YHAEWl7ObhgM1VYYWoYnwBlr +g+M2Wynjcj/rSZUpBdtUFFDNhqFlvrFSXDUEl0MbK4IzwtyOQtQfnCjy6kTqr2yB +czWonmU9tgLtaqkN61b5pBx+jR2oEC4M8HPHuA2LmEKLJrgfePHBIAZ7cPnWaZ4O +L4uP97MPmZEQggQeED5SLTMl3jJUe52H9XDkN8RV8/P3oA/YXBD4prhg4fYvNKQT +VR0pWvlnJNmjaupCBWOfJfG1S8+oOfoTNV5/Fq83LVLW0DPKHVmLtQfS5Rs02745 +VnvCDT/XPOCODW1KdsSc +=vkxR +-----END PGP SIGNATURE-----