FreeBSD Security Advisory FreeBSD-SA-20:02.ipsec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-20:02.ipsec Security Advisory The FreeBSD Project Topic: Missing IPsec anti-replay window check Category: core Module: kernel Announced: 2020-01-28 Credits:Jean-Francois HREN Affects:FreeBSD 12.0 only Corrected: 2020-01-28 18:56:46 UTC (releng/12.0, 12.0-RELEASE-p13) CVE Name: CVE-2019-5613 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background IPsec is a suite of protocols providing data authentication, integrity, and confidentiality between two networked hosts. II. Problem Description A missing check means that an attacker can reinject an old packet and it will be accepted and processed by the IPsec endpoint. III. Impact The impact depends on the higher-level protocols in use over IPsec. For example, an attacker who can capture and inject packets could cause an action that was intentionally performed once to be repeated. IV. Workaround No workaround is available. Systems not using IPsec are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:02/ipsec.patch # fetch https://security.FreeBSD.org/patches/SA-20:02/ipsec.patch.asc # gpg --verify ipsec.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - releng/12.0/ r357218 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5613> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-20:02.ipsec.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whdFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIWbQ/9EvRm9/pFezk65B8NR9BJFYzSbFv8GxtxNjcFJ0KpG48s7XxBg9BWNKMs b7dtGTRlPKGUh0CRfhkCzxx10JZ0Aeu+UNNWQrt7r34pku1bUTrOAqW9nxIBq8zr tihvShWxWmMb9roeGRQIDpDoRCDs/Ps5eZ9NkTIRIPnGvidm8FTr8eQIHxSQJ/dX 9bnQO1KP3Fz1+ywKA/poMdfXwdrUhiaPaC9AQ704lMiz881Itsi93Xw9HceKar0E dnbPbXMTQ+mkdVe3U2KLVDIMs119XL3Nuel2y7ACNjH3Bvjeerfjn6rZfiseV5FR muH0I+HKVdkdgWrFRPPthzUTmZYaStgbgOymsclwCpUJkS/ITgJWTpx6V+0E+4n6 bocwue5xP9EtCKDoEp3RSf17f47nbHgA0oeR+1CU9bh2lU6h2lAxRhxkPcWrgBiJ HWSJ96UyF3S9Kfj7sbKBE/0wPQYRO2fs2PSfjvjmydyYlg0gcZ25tK3sm5xyvxoG pVCwMn3gFDchEWnxJaSrGg/xoQCCWM+KdVXkaBSdCEsqs8+o6bTXPrq8ZyU451aO 7qxLPBlw5XNZ87jUEOhT3PwH49H9sAl++4IHUUUvs5pcIigdTNplgVpRt2DdFDzg ardLO/Cyr1qAAMClC3jXx0I7uTViROt3x7lg2+2V7bF5SnL8VjU= =tFox -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-20:01.libfetch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-20:01.libfetch Security Advisory The FreeBSD Project Topic: libfetch buffer overflow Category: core Module: libfetch Announced: 2020-01-28 Credits:Duncan Overbruck Affects:All supported versions of FreeBSD. Corrected: 2020-01-28 18:40:55 UTC (stable/12, 12.1-STABLE) 2020-01-28 18:55:25 UTC (releng/12.1, 12.1-RELEASE-p2) 2020-01-28 18:55:25 UTC (releng/12.0, 12.0-RELEASE-p13) 2020-01-28 18:42:06 UTC (stable/11, 11.3-STABLE) 2020-01-28 18:55:25 UTC (releng/11.3, 11.3-RELEASE-p6) CVE Name: CVE-2020-7450 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background libfetch(3) is a multi-protocol file transfer library included with FreeBSD and used by the fetch(1) command-line tool, pkg(8) package manager, and others. II. Problem Description A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch(3) buffers. III. Impact An attacker in control of the URL to be fetched (possibly via HTTP redirect) may cause a heap buffer overflow, resulting in program misbehavior or malicious code execution. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:01/libfetch.patch # fetch https://security.FreeBSD.org/patches/SA-20:01/libfetch.patch.asc # gpg --verify libfetch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r357213 releng/12.1/ r357217 releng/12.0/ r357217 stable/11/r357214 releng/11.3/ r357217 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7450> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-20:01.libfetch.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whc5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJw5BAAmi4Mk+an8qJB4GwfOSxWhn42GnN9/HikJwkiTNHQr7n51ANp4sHCgTYG PCo6UvCFqdIfhpBIrykI7ZwzAetCpldDdIMQFJoi5ChJ7aIcNDpiH06yLjYLgseS qSxJ+dXt6j7G2FMUWPBka8eTNBi64gT0MbyC7zFdISfJqfNy+p0WvdwYm3UsWkeR pEV+o6zL+PI3s6IsqQTQzYuyNYgoTLdvhjgNMymI+OMH8uCdBUrdItdSwSYPwVOp +8SUX47jMFNcIbBmuQ3KnPxu9fHx8JzfqpLDAkmp6hu6sXNTmIZ27mgItu4DRgWN nvd750H6fv9UCbRYOyvjeuEN8olOpZcoTAuQDtcC/z7BvKAwLC7oAYXZEiQ4pn/D MGMzlJU7fxiyIWDNJprzyrsgPAUhCC3ePyenTErB+GQKmf1fHTjLWJHN43W2tbqk kYzMwwLQa3KwOYzHPHbJt6F94b9dN30v8cgIVkvs5ivLr8eErIJAQ71PgxkgRQL1 /C301qeJvgBqLm+so0Ef6wi/D9HvCvyk6IqbQNEvOXD8RNtyqdhBO1jJ93zDVLLK ey5room7Hln/A3l5bXBzb6O3+q60U7lbxzokkAhNoe+pls6HQ50OeainXDU1dal4 HcBOCM1cnXNjXDdizqdMDvyR7ftXuBxOY
FreeBSD Security Advisory FreeBSD-SA-20:03.thrmisc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-20:03.thrmiscSecurity Advisory The FreeBSD Project Topic: kernel stack data disclosure Category: core Module: kernel Announced: 2020-01-28 Credits:Ilja Van Sprundel Affects:All supported versions of FreeBSD. Corrected: 2019-11-15 16:40:10 UTC (stable/12, 12.1-STABLE) 2020-01-28 18:57:45 UTC (releng/12.1, 12.1-RELEASE-p2) 2020-01-28 18:57:45 UTC (releng/12.0, 12.0-RELEASE-p13) 2019-11-15 16:40:55 UTC (stable/11, 11.3-STABLE) 2020-01-28 18:57:45 UTC (releng/11.3, 11.3-RELEASE-p6) CVE Name: CVE-2019-15875 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The kernel can create a core dump file when a process crashes that contains process state, for debugging. II. Problem Description Due to incorrect initialization of a stack data structure, up to 20 bytes of kernel data stored previously stored on the stack will be exposed to a crashing user process. III. Impact Sensitive kernel data may be disclosed. IV. Workaround Core dumps may be disabled by setting the kern.coredump sysctl to 0. See sysctl(8) and sysctl.conf(5). V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:03/thrmisc.patch # fetch https://security.FreeBSD.org/patches/SA-20:03/thrmisc.patch.asc # gpg --verify thrmisc.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r354734 releng/12.1/ r357219 releng/12.0/ r357219 stable/11/r354735 releng/11.3/ r357219 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15875> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-20:03.thrmisc.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whdVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLOgg/7BAIhE6SQ06BkCKNBerK3jj1sY2gBc7aohLbzdhEpCIrrd+sMsh0tphII ftR5psPaZahzjP9Mrs/lA1fWVsco1jo4icevGiPTfbEVqBF1S8XINccwQr3AvYJR 33PGUrgzY2rU8MTj0YPJ2EG3ahghb96lKkK3USikoJA5SsXSZkFphp2OFXnUFWbG TXWOUBWXbHMBUprf/oXcvNo/ZjDcxvJzMqT2YIGwKOsT0Xtx5nD+6C390axRuVEd sA6z1RhA/EEx6JMNSUAoG5rnJSXDYQTB2kd9ilozXi07CboVZ38loXy8492FGrin uG3MfnI+PHrMtG+S5yHwzOGhB/20DNoWqLKZobTGr46r8rrdc553F5Cn7ivLEz9Y Sk+IGjZfB99jv+JxCr/+/4gn3niOyh0MolqG9r0rT13fLmeQX5XtYfyYPJHE1wuR +JZ9TQSaJ6TX/DcIsy60OWcfWAQOeoYsvTZO6hqpjHt66m2Ah1pdAyc8c0R8yaQG tFpRhgQvYpiPJviq7NvM5V2afSo16RWWy9A+xEYUrxp0H0inVNOgdqwhln7ZzI4u YoBis/eZkNAPxqFJyvJ89TQFmsWFPcpHjAGMoL+aCuIotuHHa/MPdT2pfyqHG9iL E9axI8zhyzNUC+osR2I6DT/R8rF5QHAY8xI8FffiS8jfN3BJVm4= =3mdJ -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-19:25.mcepsc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:25.mcepsc Security Advisory The FreeBSD Project Topic: Machine Check Exception on Page Size Change Category: core Module: kernel Announced: 2019-11-12 Credits:Intel Affects:All supported versions of FreeBSD. Corrected: 2019-11-12 18:03:26 UTC (stable/12, 12.1-STABLE) 2019-11-12 18:13:04 UTC (releng/12.1, 12.1-RELEASE-p1) 2019-11-12 18:13:04 UTC (releng/12.0, 12.0-RELEASE-p12) 2019-11-12 18:04:28 UTC (stable/11, 11.3-STABLE) 2019-11-12 18:13:04 UTC (releng/11.3, 11.3-RELEASE-p5) CVE Name: CVE-2018-12207 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Intel machine check architecture is a mechanism to detect and report hardware errors, such as system bus errors, ECC errors, parity errors, and others. This allows the processor to signal the detection of a machine check error to the operating system. II. Problem Description Intel discovered a previously published erratum on some Intel platforms can be exploited by malicious software to potentially cause a denial of service by triggering a machine check that will crash or hang the system. III. Impact Malicious guest operating systems may be able to crash the host. IV. Workaround No workaround is available. Systems not running untrusted guest virtual machines are not impacted. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.1] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.1.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.1.patch.asc # gpg --verify mcepsc.12.1.patch.asc [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.0.patch.asc # gpg --verify mcepsc.12.0.patch.asc [FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.11.patch.asc # gpg --verify mcepsc.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r354650 releng/12.1/ r354653 releng/12.0/ r354653 stable/11/r354651 releng/11.3/ r354653 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://software.intel.com/security-software-guidance/software-guidance/machine-check-error-avoidance-page-size-change> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:25.mcepsc.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl3K+khfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ
FreeBSD Security Advisory FreeBSD-SA-19:26.mcu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:26.mcuSecurity Advisory The FreeBSD Project Topic: Intel CPU Microcode Update Category: 3rd party Module: Intel CPU microcode Announced: 2019-11-12 Credits:Intel Affects:All supported versions of FreeBSD running on certain Intel CPUs. CVE Name: CVE-2019-11135, CVE-2019-11139, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2018-11091, CVE-2017-5715 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background - From time to time Intel releases new CPU microcode to address functional issues and security vulnerabilities. Such a release is also known as a Micro Code Update (MCU), and is a component of a broader Intel Platform Update (IPU). FreeBSD distributes CPU microcode via the devcpu-data port and package. II. Problem Description Starting with version 1.26, the devcpu-data port/package includes updates and mitigations for the following technical and security advisories (depending on CPU model). Intel TSX Updates (TAA) CVE-2019-11135 Voltage Modulation VulnerabilityCVE-2019-11139 MD_CLEAR Operations CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 TA Indirect Sharing CVE-2017-5715 EGETKEY CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 JCC SKX102 Erratum Updated microcode includes mitigations for CPU issues, but may also cause a performance regression due to the JCC erratum mitigation. Please visit http://www.intel.com/benchmarks for further information. Please visit http://www.intel.com/security for detailed information on these advisories as well as a list of CPUs that are affected. III. Impact Operating a CPU without the latest microcode may result in erratic or unpredictable behavior, including system crashes and lock ups. Certain issues listed in this advisory may result in the leakage of privileged system information to unprivileged users. Please refer to the security advisories listed above for detailed information. IV. Workaround To determine if TSX is present in your system, run the following: 1. kldload cpuctl 2. cpucontrol -i 7 /dev/cpuctl0 If bits 4 (0x10) and 11 (0x800) are set in the second response word (EBX), TSX is present. In the absence of updated microcode, TAA can be mitigated by enabling the MDS mitigation: 3. sysctl hw.mds_disable=1 Systems must be running FreeBSD 11.3, FreeBSD 12.1, or later for this to work. *IMPORTANT* If your use case can tolerate leaving the CPU issues unmitigated and cannot tolerate a performance regression, ensure that the devcpu-data package is not installed or is locked at 1.25 or earlier. # pkg delete devcpu-data or # pkg lock devcpu-data Later versions of the LLVM and GCC compilers will include changes that partially relieve the peformance impact. V. Solution Install the latest Intel Microcode Update via the devcpu-data port/package, version 1.26 or later. Updated microcode adds the ability to disable TSX. With updated microcode the issue can still be mitigated by enabling the MDS mitigation as described in the workaround section, or by disabling TSX instead: 1. kldload cpuctl 2. cpucontrol -i 7 /dev/cpuctl0 If bit 29 (0x2000) is set in the fourth response word (EDX), then the 0x10a MSR is present. 3. cpucontrol -m 0x10a /dev/cpuctl0 If bit 8 (0x100) of the response word is set, your CPU is not vulnerable to TAA and no further action is required. If bit 7 (0x80) is cleared, then your CPU does not have updated microcode that facilitates TSX to be disabled. The only remedy available is to enable the MDS mitigation, as documented above. 4. cpucontrol -m 0x122=3 /dev/cpuctl0 Repeat step 4 for each numbered CPU that is present. A future kernel change to FreeBSD will provide automatic detection and mitigation for TAA. LLVM 9.0 will be updated in FreeBSD 13-current to address the JCC peformance impact. Updates to prior versions of LLVM are currently being evaluated. VI. Correction details There are currently no changes in FreeBSD to address this issue. VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11139> https://cve.
FreeBSD Security Advisory FreeBSD-SA-19:23.midi [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:23.midi Security Advisory The FreeBSD Project Topic: kernel memory disclosure from /dev/midistat Category: core Module: sound Announced: 2019-08-20 Credits:Peter Holm, Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2019-08-20 17:53:16 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:50:33 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-20 17:54:18 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:50:33 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:50:33 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5612 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2019-08-20 Initial release. v1.1 2019-08-21 Updated workaround. I. Background /dev/midistat is a device file which can be read to obtain a human-readable list of the available MIDI-capable devices in the system. II. Problem Description The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. III. Impact The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory. On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic. IV. Workaround Restrict permissions on /dev/midistat by adding an entry to /etc/devfs.conf and restarting the service: # echo "perm midistat 0600" >> /etc/devfs.conf # service devfs restart Custom kernels without "device sound" are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch.asc # gpg --verify midi.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r351264 releng/12.0/ r351260 stable/11/r351265 releng/11.3/ r351260 releng/11.2/ r351260 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5612> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:23.midi.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1d58xfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJ3pw//fbHMCysvmMh+2RZ47d4i9d61cdYEq51VUwT2Cp2pGz+mWAoac89c4k2v coo+nuvsXfgNGjr6SHGjLw0kCjeJPdPBDstHLnrzqbmuUFeS8rbRS9AGy
FreeBSD Security Advisory FreeBSD-SA-19:24.mqueuefs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:24.mqueuefs Security Advisory The FreeBSD Project Topic: Reference count overflow in mqueue filesystem 32-bit compat Category: core Module: kernel Announced: 2019-08-20 Credits:Karsten König, Secfault Security Affects:All supported versions of FreeBSD. Corrected: 2019-08-20 17:45:22 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:51:32 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-20 17:46:22 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:51:32 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:51:32 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5603 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. Note: This issue is related to the previously disclosed SA-19:15.mqueuefs. It is another instance of the same bug and as such shares the same CVE. I. Background mqueuefs(5) implements POSIX message queue file system which can be used by processes as a communication mechanism. 'struct file' represents open files, directories, sockets and other entities. II. Problem Description System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. III. Impact A local user can use this flaw to obtain access to files, directories, sockets, etc., opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system. IV. Workaround No workaround is available. Note that the mqueuefs file system is not enabled by default. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:24/mqueuefs.patch # fetch https://security.FreeBSD.org/patches/SA-19:24/mqueuefs.patch.asc # gpg --verify mqueuefs.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r351255 releng/12.0/ r351261 stable/11/r351257 releng/11.3/ r351261 releng/11.2/ r351261 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:24.mqueuefs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPglfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIKGA/+Oh+ORvFs273SJwaYaf8LCJ21IJnzVxDp9vS6MSO79LmI6HeiqAy9apQs Ec4zOXvE5MzYfA+E9jyRa6c4h7OY7uSSym15wCjLLi+DWPJ1lcCPAv01JuAgSw9E GkLOprdk2a
FreeBSD Security Advisory FreeBSD-SA-19:23.midi
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:23.midi Security Advisory The FreeBSD Project Topic: kernel memory disclosure from /dev/midistat Category: core Module: sound Announced: 2019-08-20 Credits:Peter Holm, Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2019-08-20 17:53:16 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:50:33 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-20 17:54:18 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:50:33 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:50:33 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5612 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background /dev/midistat is a device file which can be read to obtain a human-readable list of the available MIDI-capable devices in the system. II. Problem Description The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. III. Impact The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory. On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic. IV. Workaround No workaround is available. Custom kernels without "device sound" are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch.asc # gpg --verify midi.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r351264 releng/12.0/ r351260 stable/11/r351265 releng/11.3/ r351260 releng/11.2/ r351260 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5612> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:23.midi.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cItmQ/9HL5BIP/QUvfcBbhZmZAXa7O7V9Em4auumaUWEPnUaAR0vNKZqMvFXNeN v51/HOwCZte2fCgs8rxSH9ncQR+cUk/3nXO7PZ7pNPNfvuJoPlCV1rIuRrdwm14+ +pZIJpY65gmmXyh5Qa5cw41MEWuDcKluUg38zEROwBpX4h0J/ZuMSARn/s1jj/kJ hy2yzgPTz8gAzkNd8OtQm1CHdFnKWabuAHBlltj9qIA3OvJL+TpIFmzU5jA7wO1n w9GCcz73+IA1RZXu8vPsW9AEc/1LlUrNcyLmJ+bZjW9b7mY9dq+ackvULTzFV21u 5xW2FEX3EBr3kFSbWyIS9zuTX4InftoAr97CBxNMYa25/0En4Ri2rB3oH49
FreeBSD Security Advisory FreeBSD-SA-19:22.mbuf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:22.mbuf Security Advisory The FreeBSD Project Topic: IPv6 remote Denial-of-Service Category: kernel Module: net Announced: 2019-08-20 Credits:Clement Lecigne Affects:All supported versions of FreeBSD. Corrected: 2019-08-10 00:01:25 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:49:33 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-10 00:02:45 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:49:33 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:49:33 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5611 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background mbufs are a unit of memory management mostly used in the kernel for network packets and socket buffers. m_pulldown(9) is a function to arrange the data in a chain of mbufs. II. Problem Description Due do a missing check in the code of m_pulldown(9) data returned may not be contiguous as requested by the caller. III. Impact Extra checks in the IPv6 code catch the error condition and trigger a kernel panic leading to a remote DoS (denial-of-service) attack with certain Ethernet interfaces. At this point it is unknown if any other than the IPv6 code paths can trigger a similar condition. IV. Workaround For the currently known attack vector systems with IPv6 not enabled are not vulnerable. On systems with IPv6 active, IPv6 fragmentation may be disabled, or a firewall can be used to filter out packets with certain or excessive amounts of extension headers in a first fragment. These rules may be dependent on the operational needs of each site. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch # fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch.asc # gpg --verify mbuf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350828 releng/12.0/ r351259 stable/11/r350829 releng/11.3/ r351259 releng/11.2/ r351259 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238787> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5611> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:22.mbuf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK+4w/7BCGyLpeSCIaHMpKdZvSqKc6RptLyxPq1q6XO/5fUxQiBXuwxfZIUO45o VyQCsuVf0QDeT/HaMJAdTr450RlSs1ozyzEmd2iLfwqmpc8JRemihrzHkNMfny1U Y4ffN6zyrOLyFeyQcdbgHUKHwuAvGZFhR/PtPJfWDmULi0vW5PHBGjxOQmxKbbUr 6zcR+gKrm5E3vLW4vD2gvsB1RGyOzUBOaEeQU36LE1/W6hhgwtXAkZacEP+W4BiB jP
FreeBSD Security Advisory FreeBSD-SA-19:21.bhyve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:21.bhyve Security Advisory The FreeBSD Project Topic: Insufficient validation of guest-supplied data (e1000 device) Category: core Module: bhyve Announced: 2019-08-06 Credits:Reno Robert Affects:All supported versions of FreeBSD. Corrected: 2019-08-05 22:04:16 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:13:17 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-08-05 22:04:16 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:13:17 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:13:17 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2019-5609 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background bhyve(8) is a hypervisor that supports running a variety of guest operating systems in virtual machines. bhyve(8) includes an emulated Intel 82545 network interface adapter ("e1000"). II. Problem Description The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets. When TCP segmentation offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to determine the size of the on-stack buffer without validation. The subsequent header generation could overflow an incorrectly sized buffer or indirect a pointer composed of stack garbage. III. Impact A misbehaving bhyve guest could overwrite memory in the bhyve process on the host. IV. Workaround Only the e1000 device model is affected; the virtio-net device is not affected by this issue. If supported by the guest operating system presenting only the virtio-net device to the guest is a suitable workaround. No workaround is available if the e1000 device model is required. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart any affected virtual machines. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable virtual machines, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350619 releng/12.0/ r350647 stable/11/r350619 releng/11.3/ r350647 releng/11.2/ r350647 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5609> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:21.bhyve.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54
FreeBSD Security Advisory FreeBSD-SA-19:20.bsnmp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:20.bsnmp Security Advisory The FreeBSD Project Topic: Insufficient message length validation in bsnmp library Category: contrib Module: bsnmp Announced: 2019-08-06 Credits:Guido Vranken Affects:All supported versions of FreeBSD. Corrected: 2019-08-06 16:11:16 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:12:17 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-08-06 16:12:43 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:12:17 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:12:17 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2019-5610 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The bsnmp software library is used for the Internet SNMP (Simple Network Management Protocol). As part of this it includes functions to handle ASN.1 (Abstract Syntax Notation One). II. Problem Description A function extracting the length from type-length-value encoding is not properly validating the submitted length. III. Impact A remote user could cause, for example, an out-of-bounds read, decoding of unrelated data, or trigger a crash of the software such as bsnmpd resulting in a denial of service. IV. Workaround No workaround is available. V. Solution Perform one of the following: Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch # fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch.asc # gpg --verify bsnmp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350637 releng/12.0/ r350646 stable/11/r350638 releng/11.3/ r350646 releng/11.2/ r350646 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5610> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1lfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKtBBAAltxFzxuMqWCgJoL9SemLRQxGGk0hRFdN5b78mgVdk2lfDgVz8U7mVM6v XbcCa4lIy7wMYpUdEySAZLR2ENt0xdpx7oQ6lAg5fnnvrUvom4wU9ruxEs5txFVL K6RaJnQJyOkI2c/LYvI/ZYmuc29/Nt3p/DvVe7wq86taoqUufN11MXkrRHgn68N3 7vewixzWpqH5L/aY2qP1d+Xe3QmHX0IcFqeo4U3/3G4wUGRCfHtaENY4w5eUbCa2 1Qk0oS9iUdX1IJjM5l1ccoFqsjbcO6vNS337qeYNKhLspXMQPwoS0K0HfB6LKt1D dCBFoXu/qUFjf3qqbpcqGEFrFPZjlNmC4R0Ngx1rfZ1t1dXbj83NOOE1okd3Gb/V TPDU/jzwt+/6DE6ryNQpeanPdim83w/j+qeA0UaTyxlbj+oSz1gU9Ckaauf+9peI GT8TPnrgmFlYg2tkYl4tbq5LtRstPGZYguqEt5SHCxBOg3dxByMPzikSFUL9oNxS 9GX7JZT36J20f62hG8Watp2y3W0QsMjJpxF9OojRU6B15Z4Q2aCht4F6DnvEkVfN 1GvS5NAHPHU09TniSgYK3ThkoYrLYykhsXPmJmETV7DU1Qhny1p8H0NwIwB20DEm
FreeBSD Security Advisory FreeBSD-SA-19:19.mldv2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:19.mldv2 Security Advisory The FreeBSD Project Topic: ICMPv6 / MLDv2 out-of-bounds memory access Category: core Module: net Announced: 2019-08-06 Credits:CJD of Apple Affects:All supported versions of FreeBSD. Corrected: 2019-08-06 17:13:41 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:11:17 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-08-06 17:15:46 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:11:17 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:11:17 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2019-5608 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background MLDv2 is the Multicast Listener Discovery protocol, version 2. It is used by IPv6 routers to discover multicast listeners. II. Problem Description The ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. III. Impact A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page and subsequently panic. IV. Workaround No workaround is available. Systems not using IPv6 are not affected. V. Solution Perform one of the following: Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Reboot for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2, FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch.asc # gpg --verify mldv2.11.patch.asc [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch.asc # gpg --verify mldv2.12.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350648 releng/12.0/ r350644 stable/11/r350650 releng/11.3/ r350644 releng/11.2/ r350644 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5608> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:19.mldv2.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1RfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLzTA/+OyyukXWH7rfwMhOlpD60UH4hxN3purvdNeBe4ZxlYvtf8gSUzS1VbK5r NR9D2HiYRlmaePOil5myan6cVkrKoANoWTrQsCcsFLe6KKbiKlQDx/btbENmCMsR VoS0ZPx3l9iGuVUwDk6k1JXwKCcO3U3dCDYEI941hEKxYadR+twUP3JOceg8Zn0h oODXW7LcPXWQKAyFc0Kun1VrjrUGdRGfqk30joR20GP2IjgQceFHKUbiOyBbbIjW +UVvp2wPBxXvcXNPTpcIpTW5UGJBHCT2OsDulh7hqpiWf78VE8BoksKAvDjtI4i0 15fmwn7tmQ3aGWK3WoaKWUOXZUlKrxRQDzGyAZ3LzOqPWhv12tJjNJhjnRmCVLfo +F4I/MHzPgjitZhv8gfn+MRiPG4E1ueAYnPQWiR3qRCLQGhemVdKZIAVnYg6NGpQ Jgsr1QS8/3GH
FreeBSD Security Advisory FreeBSD-SA-19:18.bzip2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:18.bzip2 Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in bzip2 Category: contrib Module: bzip2 Announced: 2019-08-06 Affects:All supported versions of FreeBSD. Corrected: 2019-07-04 07:29:18 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:09:47 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-07-04 07:32:25 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:09:47 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:09:47 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2016-3189, CVE-2019-12900 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The bzip2(1)/bunzip2(1) utilities and the libbz2 library compress and decompress files using an algorithm based on the Burrows-Wheeler transform. They are generally slower than Lempel-Ziv compressors such as gzip, but usually provide a greater compression ratio. The bzip2recover utility extracts blocks from a damaged bzip2(1) file, permitting partial recovery of the contents of the file. II. Problem Description The decompressor used in bzip2 contains a bug which can lead to an out-of-bounds write when processing a specially crafted bzip2(1) file. bzip2recover contains a heap use-after-free bug which can be triggered when processing a specially crafted bzip2(1) file. III. Impact An attacker who can cause maliciously crafted input to be processed may trigger either of these bugs. The bzip2recover bug may cause a crash, permitting a denial-of-service. The bzip2 decompressor bug could potentially be exploited to execute arbitrary code. Note that some utilities, including the tar(1) archiver and the bspatch(1) binary patching utility (used in portsnap(8) and freebsd-update(8)) decompress bzip2(1)-compressed data internally; system administrators should assume that their systems will at some point decompress bzip2(1)-compressed data even if they never explicitly invoke the bunzip2(1) utility. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart daemons if necessary. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch # fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch.asc # gpg --verify bzip2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349717 releng/12.0/ r350643 stable/11/r349718 releng/11.3/ r350643 releng/11.2/ r350643 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc> -BEGIN PGP SIGNATURE--
FreeBSD Security Advisory FreeBSD-SA-19:16.bhyve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:16.bhyve Security Advisory The FreeBSD Project Topic: Bhyve out-of-bounds read in XHCI device Category: core Module: bhyve Announced: 2019-07-24 Credits:Reno Robert Affects:All supported versions of FreeBSD. Corrected: 2019-07-23 17:48:37 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:56:06 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-23 17:48:37 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:56:06 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:56:06 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5604 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background bhyve(8) is a hypervisor that supports running a variety of virtual machines (guests). bhyve includes an emulated XHCI device. II. Problem Description The pci_xhci_device_doorbell() function does not validate the 'epid' and 'streamid' provided by the guest, leading to an out-of-bounds read. III. Impact A misbehaving bhyve guest could crash the system or access memory that it should not be able to. IV. Workaround No workaround is available, however systems not using bhyve(8) for virtualization are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. No reboot is required. Rather the bhyve(8) process for vulnerable virtual machines should be restarted. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart any bhyve virtual machines or reboot the system. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart any bhyve virtual machines, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350246 releng/12.0/ r350285 stable/11/r350247 releng/11.2/ r350285 releng/11.3/ r350285 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5604> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:16.bhyve.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cI+Jw//TcrKrFaXkEJtqzspjoeK9YKwNwj30ewdb/Ph3GdcgVoQmfJVsWPcmcM9 +dewKdl7gGLhVhoJ+3f3oFzlDcqSxFLHcNwSW5J7P8Zt+7ZpQzwH8pfB6S8T1Nk6 77Sv5hYrjy8kdSh6Z/c8BkAQrhEFYO09xej8ekQ1B+iL2N4ErexpCNTMKlP96pGS 0/4tso5gdcwrc1t6HHGffFkjItgnE8Lvgr1ZsSHbcRGAc3nqy3n21U+VH+fecAzK 0NBO3HQeCbRIEdAms3jMLcAJGrs60VBN0nnWqLxlGBb10hY7Si0NkgbWOP2g/Elf J+K4SHTFXbhIGrpsrEdvSVPvytQ8gKOSys5luvtLjt0Yhll08eEUDVzaIk//Hsak BcUSlKHULLkVTJZvdZAHUMHJOMPpSAh61DuFcM+pxAt5E9rmgX+HnPBs1yLbgd23 NaQadFC126T+AW5W5GyOs2BIEo4bdTNHqONF7gmR4a5bv6/7GWZz/QNsep43jDZH 43lur9mts+/1LUCD1s4DkMniNMaGt28GMNa44PgQV
FreeBSD Security Advisory FreeBSD-SA-19:17.fd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:17.fd Security Advisory The FreeBSD Project Topic: File description reference count leak Category: core Module: unix Announced: 2019-07-24 Credits:Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2019-07-22 19:25:05 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:57:49 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-22 19:27:23 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:57:49 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:57:49 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5607 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background UNIX-domain sockets are used for inter-process communication. It is possible to use UNIX-domain sockets to transfer rights, encoded as file descriptors, to another process. Rights are encapsulated in control messages, and multiple such messages may be transmitted with a single system call. II. Problem Description If a process attempts to transmit rights over a UNIX-domain socket and an error causes the attempt to fail, references acquired on the rights are not released and are leaked. This bug can be used to cause the reference counter to wrap around and free the corresponding file structure. III. Impact A local user can exploit the bug to gain root privileges or escape from a jail. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch.asc # gpg --verify fd.11.2.patch.asc [FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch.asc # gpg --verify fd.11.patch.asc [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch.asc # gpg --verify fd.12.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350222 releng/12.0/ r350286 stable/11/r350223 releng/11.2/ r350286 releng/11.3/ r350286 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5607> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:17.fd.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WnBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIOTQ/+KQMGXwNiuMVNib5ErewD9QdT48NYaU/hYUub3VMAfQltvWmbiPw7zXj7 yJGm9FxWrMvZ6hFnKskV60u9d7PMYkOv4nzcaFgPoadByXXlALQGd/ansrZFyTJr b
FreeBSD Security Advisory FreeBSD-SA-19:15.mqueuefs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:15.mqueuefs Security Advisory The FreeBSD Project Topic: Reference count overflow in mqueue filesystem Category: core Module: kernel Announced: 2019-07-24 Credits:Mateusz Guzik Affects:All supported versions of FreeBSD. Corrected: 2019-07-23 21:12:32 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:55:16 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-23 21:15:28 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:55:16 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:55:16 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5603 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background mqueuefs(5) implements POSIX message queue file system which can be used by processes as a communication mechanism. 'struct file' represents open files, directories, sockets and other entities. II. Problem Description System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. III. Impact A local user can use this flaw to obtain access to files, directories, sockets etc. opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system. IV. Workaround No workaround is available. Note that the mqueuefs file system is not enabled by default. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch # fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch.asc # gpg --verify mqueuefs.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350261 releng/12.0/ r350284 stable/11/r350263 releng/11.2/ r350284 releng/11.3/ r350284 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:15.mqueuefs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIWpBAAg9BmPamkj7wLJODR8SvNk+qYqEbYeakiSGnvXllz2l+qI2dhMVsuQRGQ ko7VY0P2Wuh68UiiDG63Oq3hbOWPPkL1axk6n275rZSdoVj856tjrHjnUtP3UX5S WQUKRAREjhVjM9dAOwCYrmAmcpX4SkslklhfiR6AR62t4eptMlfJ6ACQATs6FPnX WRdyDe7yq0mL4UHWg+PvotQ+rxGiynwgVRMXwaglKOldGOuPOeuj7azM4nb6/qkN GjJlJOIRwfU1/sXVII3cCzndnCrz5A0sSttg
FreeBSD Security Advisory FreeBSD-SA-19:14.freebsd32
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:14.freebsd32 Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in freebsd32_ioctl Category: core Module: kernel Announced: 2019-07-24 Credits:Ilja van Sprundel, IOActive Affects:FreeBSD 11.2 and FreeBSD 11.3 Corrected: 2019-07-22 18:14:34 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:54:10 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:54:10 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5605 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The FreeBSD kernel supports executing 32-bit applications on a 64-bit kernel, including the ioctl(2) interface. II. Problem Description Due to insufficient initialization of memory copied to userland in the components listed above small amounts of kernel memory may be disclosed to userland processes. III. Impact A user who can invoke 32-bit FreeBSD ioctls may be able to read the contents of small portions of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch # fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch.asc # gpg --verify freebsd32.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r350217 releng/11.2/ r350283 releng/11.3/ r350283 - - Note: This issue was addressed in a different way prior to the branch point for stable/12. As such, no patch is needed for FreeBSD 12.x. To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5605> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:14.freebsd32.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIavw//emdRXVNpGREW1FfUvWmUPpdgk6rFck9nEG0KUKYCcfhqN83BN9XtqaWu lBQ1jbB/CsalwL6Gpn2yuMvgS8W4yUidyPHLpzuoAThlsy5bHID1/oRftJt0T0BS kHbTD0tTUt3QDV51FoLBjvXfjRRb8xJ+wIGJ0NzOscWgjgu6JPUysHEJD3+vSOKN X3qJd3zcoYqswcvuhoVE2cFrSaZKEyIi1pJVr9CGItQTWXIisgdXdGYTnBdZU8jq iJGaI1BXiNUl/p/21JA32T+ZD7cdMtx6KiuoKlY7Bzgj7Qk3XW7xsQsYu724LIJT pVhIxntMrQSak7wIaqNPGR/FgkkKDsoo6iCHXlGxXv6tLg7pnioZIaHhc5+UZqmT 8I0UogWhQZS03/nwFRVDLPp+ka2P0g2gsm/dX1UVuucMT+hGeqn2c/iaSU76duoR qavRPjLPJDnfVrpXhpqco9rq1+UwA/1uSNe0cFX0ArX040hCReDsMphcxgrkZ0sD u71Px2ZLE5rpWmFd8LD0X2y1l4OEcTmoTPUtJxHlVrMFztuNbAlRnyCxTV8c2uId zN44wRj6c2ZEV/w+kBVTV+L7NSt1eHDZ5tgUL7b
FreeBSD Security Advisory FreeBSD-SA-19:12.telnet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:12.telnet Security Advisory The FreeBSD Project Topic: telnet(1) client multiple vulnerabilities Category: contrib Module: contrib/telnet Announced: 2019-07-24 Credits:Juniper Networks Affects:All supported versions of FreeBSD. Corrected: 2019-07-19 15:37:29 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:51:52 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-19 15:27:53 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:51:52 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:51:52 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-0053 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The telnet(1) command is a TELNET protocol client, used primarily to establish terminal sessions across a network. II. Problem Description Insufficient validation of environment variables in the telnet client supplied in FreeBSD can lead to stack-based buffer overflows. A stack- based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client. Inbound telnet sessions to telnetd(8) are not affected by this issue. III. Impact These buffer overflows may be triggered when connecting to a malicious server, or by an active attacker in the network path between the client and server. Specially crafted TELNET command sequences may cause the execution of arbitrary code with the privileges of the user invoking telnet(1). IV. Workaround Do not use telnet(1) to connect to untrusted machines or over an untrusted network. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch # fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch.asc # gpg --verify telnet.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350139 releng/12.0/ r350281 stable/11/r350140 releng/11.2/ r350281 releng/11.3/ r350281 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:12.telnet.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WltfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLOzA//YxRZNUr+d8B+t6DnBUbVvthJiY9sQ1YPXUIJmp4QA7wvXr5UjURw+6qv raxEp6JmF06wZK4RjeIFckQD6s2wnjO5VHO80Zbs0nD4NejQGeDAIlVdKqofOtJv bBQNSY3vPAtumyfElc+N19rKetAjGbsUjOMbn87GlWrit4lqcavBQsdmSlQB5gVA dFAFsVxr+ujjATnrCmIpFiaDk0unyJ7Gtz7jiM9I8xZueJtM49/9kNCFFLKCMUl8 HpB2k0cb18GVNJoKtzo1nELOM/oIJVO5HZt1fmYG/RgeL1BSyzg4q/5
FreeBSD Security Advisory FreeBSD-SA-19:13.pts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:13.ptsSecurity Advisory The FreeBSD Project Topic: pts(4) write-after-free Category: core Module: kernel Announced: 2019-07-24 Credits:syzkaller Affects:All supported versions of FreeBSD. Corrected: 2019-07-07 14:19:46 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:53:06 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-07 14:20:14 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:53:06 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:53:06 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5606 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The posix_openpt(2) system call allocates a pseudo-terminal device and returns a descriptor referencing that device. Such a descriptor may be configured such that a SIGIO signal will be sent to a designated process or process group when the device is ready to perform I/O. II. Problem Description The code which handles a close(2) of a descriptor created by posix_openpt(2) fails to undo the configuration which causes SIGIO to be raised. This bug can lead to a write-after-free of kernel memory. III. Impact The bug permits malicious code to trigger a write-after-free, which may be used to gain root privileges or escape a jail. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch # fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch.asc # gpg --verify pts.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349805 releng/12.0/ r350282 stable/11/r349806 releng/11.2/ r350282 releng/11.3/ r350282 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5606> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:13.pts.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04Wl9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLZDA//SGC+7Vghtofm/CzylIXhC1drFOxNYJOF7KEJqDwsRR3U9S99Q9NBWS5+ e+/vJzvV0+epZNQXDlit5a76jGwy4fNuutNh0J3APHe/l0Zp/PhM56IwRWQgqAkQ hF67xhHxFZs8AH6/bw21N4IkRrAZHmrrCY8ubZArjoUi0gCoFzAYRw1Nh/JTQoLS IGuqUFaMZWKvu3aeJiikLjHiJUMRAY7sxh+iSBSp99dsLkASqQZtx1grmosljttN fuD7qO2f067EWUpC50JTbNt9V7za854hrlOp8jn1g51O4fWWJoEEL2/0VUeOO+fr aGS9UNal25NPr2zGzx2t0u1VNE3/YKoZ0tq+mQYtaXke32ZO15Ufby0YcLU4DF8d dU1ZoG2AGbWmBqgQ982hocq5Dn0r5yCHXDeEGguE1DsfyBuUEZw6zfYRtzIQ0swk wDrdETxpIMa8jaSGtDw2bilrLNRIVqYkXBJftC3fpXhlz6PyU6bZaFm00xrs7z1D EJMkuIWho9oMqLTU7bZNHv7JD4G3ziTF1h2tGXGcEKp02ImNZQnw3w5PBberFgto H4uJQCWgFqqddkjnSidX3Uj676LC99ERDEUl
FreeBSD Security Advisory FreeBSD-SA-19:10.ufs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:10.ufsSecurity Advisory The FreeBSD Project Topic: Kernel stack disclosure in UFS/FFS Category: core Module: Kernel Announced: 2019-07-02 Credits:David G. Lawrence Affects:All supported versions of FreeBSD. Corrected: 2019-05-10 23:45:16 UTC (stable/12, 12.0-STABLE) 2019-07-02 00:02:16 UTC (releng/12.0, 12.0-RELEASE-p7) 2019-05-10 23:46:42 UTC (stable/11, 11.2-STABLE) 2019-07-02 00:02:16 UTC (releng/11.2, 11.2-RELEASE-p11) CVE Name: CVE-2019-5601 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Berkeley Fast File System (FFS) is an implementation of the UNIX File System (UFS) filesystem used by FreeBSD. II. Problem Description A bug causes up to three bytes of kernel stack memory to be written to disk as uninitialized directory entry padding. This data can be viewed by any user with read access to the directory. Additionally, a malicious user with write access to a directory can cause up to 254 bytes of kernel stack memory to be exposed. III. Impact Some amount of the kernel stack is disclosed and written out to the filesystem. IV. Workaround No workaround is available but systems not using UFS/FFS are not affected. V. Solution Special note: This update also adds the -z flag to fsck_ffs to have it scrub the leaked information in the name padding of existing directories. It only needs to be run once on each UFS/FFS filesystem after a patched kernel is installed and running. Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system and run: # fsck -t ufs -f -p -T ufs:-z to clean up your existing filesystems. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch.asc # gpg --verify ufs.12.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch.asc # gpg --verify ufs.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system and run: # fsck -t ufs -f -p -T ufs:-z to clean up your existing filesystems. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r347474 releng/12.0/ r349623 stable/11/r347475 releng/11.2/ r349623 - - Note: This patch was applied to the stable/11 branch before the branch point for releng/11.3. As such, no patch is needed for any 11.3-BETA or -RC. To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5601> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:10.ufs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJgRhAAic+yb4boY5k2TotBe9x
FreeBSD Security Advisory FreeBSD-SA-19:11.cd_ioctl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:11.cd_ioctl Security Advisory The FreeBSD Project Topic: Privilege escalation in cd(4) driver Category: core Module: kernel Announced: 2019-07-02 Credits:Alex Fortune Affects:All supported versions of FreeBSD. Corrected: 2019-07-03 00:11:31 UTC (stable/12, 12.0-STABLE) 2019-07-02 00:03:55 UTC (releng/12.0, 12.0-RELEASE-p7) 2019-07-03 00:12:50 UTC (stable/11, 11.3-PRERELEASE) 2019-07-02 00:03:55 UTC (releng/11.3, 11.3-RC3-p1) 2019-07-02 00:03:55 UTC (releng/11.2, 11.2-RELEASE-p11) CVE Name: CVE-2019-5602 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The cd(4) driver implements a number of ioctls to permit low-level access to the media in the CD-ROM device. The Linux emulation layer provides a corresponding set of ioctls, some of which are implemented as wrappers of native cd(4) ioctls. These ioctls are available to users in the operator group, which gets read-only access to cd(4) devices by default. II. Problem Description To implement one particular ioctl, the Linux emulation code used a special interface present in the cd(4) driver which allows it to copy subchannel information directly to a kernel address. This interface was erroneously made accessible to userland, allowing users with read access to a cd(4) device to arbitrarily overwrite kernel memory when some media is present in the device. III. Impact A user in the operator group can make use of this interface to gain root privileges on a system with a cd(4) device when some media is present in the device. IV. Workaround devfs.conf(5) and devfs.rules(5) can be used to remove read permissions from cd(4) devices. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.12.patch.asc # gpg --verify cd_ioctl.12.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.11.patch.asc # gpg --verify cd_ioctl.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349628 releng/12.0/ r349625 stable/11/r349629 releng/11.3/ r349625 releng/11.2/ r349625 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5602> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:11.cd_ioctl.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1Qz
FreeBSD Security Advisory FreeBSD-SA-19:09.iconv
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:09.iconv Security Advisory The FreeBSD Project Topic: iconv buffer overflow Category: core Module: libc Announced: 2019-07-02 Credits:Andrea Venturoli , NetFence Affects:All supported versions of FreeBSD. Corrected: 2019-07-03 00:01:38 UTC (stable/12, 12.0-STABLE) 2019-07-03 00:00:39 UTC (releng/12.0, 12.0-RELEASE-p7) 2019-07-03 00:03:14 UTC (stable/11, 11.3-PRERELEASE) 2019-07-03 00:00:39 UTC (releng/11.3, 11.3-RC3-p1) 2019-07-03 00:00:39 UTC (releng/11.2, 11.2-RELEASE-p11) CVE Name: CVE-2019-5600 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The iconv(3) API converts text data from one character encoding to another and is available as part of the standard C library (libc). II. Problem Description With certain inputs, iconv may write beyond the end of the output buffer. III. Impact Depending on the way in which iconv is used, an attacker may be able to create a denial of service, provoke incorrect program behavior, or induce a remote code execution. iconv is a libc library function and the nature of possible attacks will depend on the way in which iconv is used by applications or daemons. IV. Workaround No workaround is available. Stack canaries (-fstack-protector), which are enabled by default, provide a degreee of defense against code injection but not against denial of service. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart any potentially affected daemons. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:09/iconv.patch # fetch https://security.FreeBSD.org/patches/SA-19:09/iconv.patch.asc # gpg --verify iconv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349622 releng/12.0/ r349621 stable/11/r349624 releng/11.3/ r349621 releng/11.2/ r349621 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5600> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:09.iconv.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK8qg//bXSYMJQUBC0POTT5zGXSAmXfKjxbCi4N67cfTrQkEvW672QX4Jw9smkK D3PwyQs8QWIwsXL69rRgKDFHhPplOmTkx1vaPrA3DckYliwNvLRV3I6G2bRnx3E3 DoAyDmBvFK5lJWa3WxbCpeJA69yZ/JbX1Yw6HsRLk74hGkfvlkruKkfxsNjXzaq4 0+d+ZYs/vRDmIW5/R/bYy1+iyDamyCMl2xXtlZBKrGe6lhj8Vi4/evJjipFtskc2 RnGKolNoZQc03pgX0QS2JZDb+ay23elkOCbhYPqGr1f++M95oOktX3epsJNSH++u pmJ72FNRsnZSVFxoX7o14eh4k6OGYIvGFSkXQ9VG1NV7PQO8VZAQk9gw264O/1Mi 2aW88e78GLallQOg32VM+Ybys9MamBHByiYRz+GXhh91gg
FreeBSD Security Advisory FreeBSD-SA-19:08.rack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:08.rack Security Advisory The FreeBSD Project Topic: Resource exhaustion in non-default RACK TCP stack Category: core Module: inet Announced: 2019-06-19 Credits:Jonathan Looney (Netflix) Peter Lei (Netflix) Affects:FreeBSD 12.0 and later Corrected: 2019-06-19 16:25:39 UTC (stable/12, 12.0-STABLE) 2019-06-19 16:43:05 UTC (releng/12.0, 12.0-RELEASE-p6) CVE Name: CVE-2019-5599 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. A TCP loss detection algorithm called RACK ("Recent ACKnowledgment") uses the notion of time, in addition to packet or sequence counts, to detect losses for modern TCP implementations that support per-packet timestamps and the selective acknowledgment (SACK) option. FreeBSD ships an optional implementation of RACK. Please note this is not included by default. If RACK was not specifically compiled, installed, and loaded, the system is not vulnerable. II. Problem Description While processing acknowledgements, the RACK code uses several linked lists to maintain state entries. A malicious attacker can cause the lists to grow unbounded. This can cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service. III. Impact An attacker with the ability to send specially crafted TCP traffic to a victim system can degrade network performance and/or consume excessive CPU by exploiting the inefficiency of traversing the potentially very large RACK linked lists with relatively small bandwidth cost. IV. Workaround By default RACK is not compiled or loaded into the TCP stack. To determine if you are using RACK, check the net.inet.tcp.functions_available sysctl. If it includes a line with "rack", the RACK stack is loaded. To disable RACK, unload the kernel module with: # kldunload tcp_rack Note: it may be required to use the force flag (-f) with the kldunload. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Since the tcp_rack kernel module is not built by default, recompile, reinstall, and reload the kernel module. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch # fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch.asc # gpg --verify rack.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile, reinstall, and reload the tcp_rack kernel module. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349197 releng/12.0/ r349199 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:08.rack.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZy1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbn
FreeBSD Security Advisory FreeBSD-SA-19:07.mds [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:07.mdsSecurity Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits:Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects:All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2019-05-14 Initial release. v1.1 2019-05-15 Fixed date on microcode update package. v1.2 2019-05-15 Userland startup microcode update details added. Add language specifying which manufacturers is affected. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Only Intel x86 based processors are affected. x86 processors from other manufacturers (eg, AMD) are not believed to be vulnerable. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf' # shutdown -r +10min "Security update" V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14. If using the package or port the Intel microcode update can be applied at boot time (only on FreeBSD 12 and later) by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" To automatically load microcode during userland startup (supported on all FreeBSD versions), add the following to /etc/rc.conf: microcode_update_enable="YES" 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html>. Mitigation
FreeBSD Security Advisory FreeBSD-SA-19:07.mds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:07.mdsSecurity Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits:Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects:All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-15 13:44:27 UTC (releng/12.0, 12.0-RELEASE-p5) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2019-05-14 Initial release. v1.1 2019-05-15 Fixed date on microcode update package. v1.2 2019-05-15 Userland startup microcode update details added. Add language specifying which manufacturers is affected. v1.3 2019-05-15 Minor quoting nit for the HT disable loader config. v2.0 2019-05-15 Rerelease 12.0-RELEASE patch as -p5 due to i386 panic bug. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Only Intel x86 based processors are affected. x86 processors from other manufacturers (eg, AMD) are not believed to be vulnerable. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0' >> /boot/loader.conf # shutdown -r +10min "Security update" V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14. If using the package or port the Intel microcode update can be applied at boot time (only on FreeBSD 12 and later) by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" To automatically load microcode during userland startup (supported on all FreeBSD versions), add the following to /etc/rc.conf: microcode_update_enable="YES" 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [*** v2.0 NOTE *** Only applies to 12.0-RELEASE ***] Due to an error in the 12.0-RELEASE affecting the i386 architecture, a new set of patches is being released. If your 12.0-RELEASE sources are not yet patched using the initially published patch, then you need to apply the mds.12.0.patch. If your sources are already updated, or patched with the patch from the initial advisory, then you need to apply the incremental patch, named mds.12.0.p4p5.patch [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE, not patched with initial SA-19:07.mds patch] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.
FreeBSD Security Advisory FreeBSD-SA-19:07.mds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:07.mdsSecurity Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits:Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects:All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf' # shutdown V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14. If using the package or port the microcode update can be applied at boot time by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" Microcode updates can also be applied while the system is running. See cpucontrol(8) for details. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html>. Mitigation Configuration Systems with users, processes, or virtual machines in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf To activate the MDS mitigation set the hw.mds_disable sysctl. The settings are: 0 - mitigation disabled 1 - VERW instruction (microcode) mitigation enabled 2 - Software sequence mitigation enabled (not recommended) 3 - Automatic VERW or Software selection Automatic mode uses the V
FreeBSD Security Advisory FreeBSD-SA-19:05.pf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:05.pf Security Advisory The FreeBSD Project Topic: IPv6 fragment reassembly panic in pf(4) Category: contrib Module: pf Announced: 2019-05-14 Credits:Synacktiv Affects:All supported versions of FreeBSD Corrected: 2019-03-01 18:12:05 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:10:21 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-01 18:12:07 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:10:21 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-5597 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of from the first packet. III. Impact Malicious IPv6 packets with different IPv6 extensions could cause a kernel panic or potentially a filtering rule bypass. IV. Workaround Only systems leveraging the pf(4) firewall and include packet scrubbing using the recommended 'scrub all in' or similar are affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch # fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r344706 releng/12.0/ r347591 stable/11/r344707 releng/11.2/ r347591 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://www.synacktiv.com/ressources/Synacktiv_OpenBSD_PacketFilter_CVE-2019-5597_ipv6_frag.pdf> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5597> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:05.pf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cL1cxAAjYy90WBfuBkU/FddQWMJkXOn2YqABFxY/BfFpJEbGrnXXuxz9YJByK3b 6ikWq5HcxgL/9ek6QULwEOoNvms8tT4m4waJOLa3hZPoPlgD2ArgvdcEI00R/8T9 Z+k1YlT0oLOY4XbVynPGNmiFNTAcsg7Ognp9yam3kmPZTMGYm6cKIBy1idrzCCmI nj0SscyoL4Z09kSWe3UOitjh8cpxqGuvGosCb7YGPl6yTSalBUgP44Lyg7jS4nrZ xjZxqhAfp7tk9peF4rov8apZIsrBF5GMaahnIGIwZzmRn/E1pND9qx1lB1Uh7rfR nb8OmwbshJTWdnS1GXyLxRGJOd0zmh+YZ10ygZAQTM5sNaxfn6pWJFmr2S/mR+kN RG/Bhj+lN7jh1eUNdwk/pAm0aZZ+J8GX4/QOrqPfGDko/s/S7YwJB/DKR/14uPY7 Fwcgv4tvgoRstSKHdIe45d7/N0SgQCS/EfzVIO5XPQtkrk9/zalQubionijObr1Q ARVl7H5M7m7kP8PJz/vRNvhar0c0xTk9ov2JDxKHKTd+7D78LQEAFvEGPIFREBsY VBW8BqZbuVcsgrhr/YWFE3TEw4O0YbnY5g9wmVv+d/pdDngLuTsfbNEsAQewWcu/ dYefeBMKBukyLUKtLYHjVAhUlL3hF3
FreeBSD Security Advisory FreeBSD-SA-19:06.pf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:06.pf Security Advisory The FreeBSD Project Topic: ICMP/ICMP6 packet filter bypass in pf Category: contrib Module: pf Announced: 2019-05-14 Credits:Synacktiv Affects:All supported versions of FreeBSD Corrected: 2019-03-21 14:17:10 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:12:22 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-21 14:17:12 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:12:22 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-5598 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload matching an existing condition. pf(4) does not check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet. III. Impact A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules and be passed to a host that would otherwise be unavailable. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch # fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r345377 releng/12.0/ r347593 stable/11/r345378 releng/11.2/ r347593 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://www.synacktiv.com/posts/systems/icmp-reachable.html> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5598> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:06.pf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIjXA/9FevC+Ygihzb0J9MN0znEM883dk5sPCSvMwiivsNRkDMXreYqPXU+Fkt0 iV1OZ8tKwKAihm+iGJ5mzS5l40wWF1oDcqJrC0myICdvreraoJKZvTLhgGIBqKkE b8yIuzPueWdnnudoAzTV38RhyaP2aOb44OMUNPQZsEB/6hHsNvp9m6yAua/F+x9+ N9J38Y/C6udsNfhqDeuCI4G8yiN33XfFiRbF+31rt3s0rUm6KGNsJanJe8dNAEvE DN4tA4+MORnQ7QTLgOobGuLFhWJ2urC6psH8duO72hcSTzSkTZpxrC3f6SW8RlZ+ Pbr4LZ6FA3bZp/sCmWPOot94hotBDr03MZwrxURokeDHZU1nUBsw0rmTG4aypujl JrGPOAp89TtqrR0zV8DhpGO/RWoBeMDf7ZGvIplOIEF5rijQWEyC5pnYlBKPfSdm UTxcN9RoJCfz7O4KLAAqhHiuu6xc+CqlQH1dvyLbqGVv9LzUQlziTNsbQ4cGryuj g1TztU0VfpvHDkAKBh0iHwkoUqDSut3K19rFAQ3zkM/EodqSTkE1OG77pmsjYaVq AfcnN/se8lklq0lKi3BwNvVIWTjhMAwY63otVxvVD4wrJrgQH8NKgOeYuGBreXeW Uv569bIhR0/vsyGJK/SMKxBiAGfzkE7LqDMJqdXLsompX97nOwI= =m3as -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-19:03.wpa
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:03.wpaSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities in hostapd and wpa_supplicant Category: contrib Module: wpa Announced: 2019-05-14 Affects:All supported versions of FreeBSD. Corrected: 2019-05-01 01:42:38 UTC (stable/12, 12.0-STABLE) 2019-05-14 22:57:29 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-01 01:43:17 UTC (stable/11, 11.2-STABLE) 2019-05-14 22:59:32 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, CVE-2019-11555 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Wi-Fi Protected Access II (WPA2) is a security protocol developed by the Wi-Fi Alliance to secure wireless computer networks. hostapd(8) and wpa_supplicant(8) are implementations of user space daemon for access points and wireless client that implements the WPA2 protocol. II. Problem Description Multiple vulnerabilities exist in the hostapd(8) and wpa_supplicant(8) implementations. For more details, please see the reference URLs in the References section below. III. Impact Security of the wireless network may be compromised. For more details, please see the reference URLS in the References section below. IV. Workaround No workaround is available, but systems not using hostapd(8) or wpa_supplicant(8) are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, restart hostapd(8) or wpa_supplicant(8). 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, restart hostapd(8) or wpa_supplicant(8). 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch.asc # gpg --verify wpa-12.patch.asc [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch.asc # gpg --verify wpa-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r346980 releng/12.0/ r347587 stable/11/r346981 releng/11.2/ r347588 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://w1.fi/security/2019-1> https://w1.fi/security/2019-2> https://w1.fi/security/2019-3> https://w1.fi/security/2019-4> https://w1.fi/security/2019-5> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9494> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9495> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9496> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9497> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9498> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9499> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11555> The latest revision of this advis
FreeBSD Security Advisory FreeBSD-SA-19:04.ntp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:04.ntpSecurity Advisory The FreeBSD Project Topic: Authenticated denial of service in ntpd Category: contrib Module: ntp Announced: 2019-05-14 Credits:Magnus Stubman Affects:All supported versions of FreeBSD Corrected: 2019-03-07 13:45:36 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:02:56 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-07 13:45:36 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:06:26 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-8936 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. The ntpd(8) daemon uses a protocol called mode 6 to both get status information from the running ntpd(8) daemon and configure it on the fly. This protocol is typically used by the ntpq(8) program, among others. II. Problem Description A crafted malicious authenticated mode 6 packet from a permitted network address can trigger a NULL pointer dereference. Note for this attack to work, the sending system must be on an address from which the target ntpd(8) accepts mode 6 packets, and must use a private key that is specifically listed as being used for mode 6 authorization. III. Impact The ntpd daemon can crash due to the NULL pointer dereference, causing a denial of service. IV. Workaround Use 'restrict noquery' in the ntpd configuration to limit addresses that can send mode 6 queries. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, restart the ntpd service: # service ntpd restart 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch.asc # gpg --verify ntp.patch.asc [FreeBSD 11.2-RELEASE/11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch.asc # gpg --verify ntp-11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the ntpd service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r344884 releng/12.0/ r347589 stable/11/r344884 releng/11.2/ r347590 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References http://support.ntp.org/bin/view/Main/SecurityNotice#March_2019_ntp_4_2_8p13_NTP_Rele> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8936> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:04.ntp.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLGtw/8CNAYnLxARrMUK1QeC9sE7EaboYInSOgaunf
FreeBSD Security Advisory FreeBSD-SA-19:02.fd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:02.fd Security Advisory The FreeBSD Project Topic: File description reference count leak Category: core Module: unix Announced: 2019-02-05 Credits:Peter Holm Affects:FreeBSD 12.0 Corrected: 2019-02-05 17:56:22 UTC (stable/12, 12.0-STABLE) 2019-02-05 18:11:15 UTC (releng/12.0, 12.0-RELEASE-p3) 2019-02-05 17:57:30 UTC (stable/11, 11.2-STABLE) CVE Name: CVE-2019-5596 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background UNIX-domain sockets are used for inter-process communication. It is possible to use UNIX-domain sockets to transfer rights, encoded as file descriptors, to another process. II. Problem Description FreeBSD 12.0 attempts to handle the case where the receiving process does not provide a sufficiently large buffer for an incoming control message containing rights. In particular, to avoid leaking the corresponding descriptors into the receiving process' descriptor table, the kernel handles the truncation case by closing descriptors referenced by the discarded message. The code which performs this operation failed to release a reference obtained on the file corresponding to a received right. This bug can be used to cause the reference counter to wrap around and free the file structure. III. Impact A local user can exploit the bug to gain root privileges or escape from a jail. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:02/fd.patch # fetch https://security.FreeBSD.org/patches/SA-19:02/fd.patch.asc # gpg --verify fd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r343785 releng/12.0/ r343790 stable/11/r343786 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5596> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:02.fd.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1YFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK7+w/+JeFIVM0QQC1R4wJFmT3bBaRumxGCx5PN5Ufe7ub/ztwsKQKJeps1aiS3 fzw3Ck1K7+joeG+cNwZNihmAyEa2Hgk+FDhQBX531yrwF1jQ2A2oKGfkhs5e02Ng k16MV9pVlNP1zQ3wFVBjFCCvBuVJ0A8XTxALY7ivZlj2edgSH1eL4SaP1mrSD2Xu pR2amN7WkAaIqvATK0VkWjYp6kUXtI8CBtdP3hpKz88rpYoZfWxupqtghnxgjIqt iuTOhbemvYuBvB+ErbtU/6Z4ffoHt9Csrk2MM56/RZRwyHmtC4CFqtxClrUpOoa2 2OcEbR8cZyEardSES78UBjbTwlOTVd5F4o86Q1bKytHjI72ycB5yKZkyiHmdJCjs EhlaDC/rnHxdYGvBuiLqFcNU5tJiGawZZwyozCQz67dGD89QzKQurKEWQ1YJvMsW ZwwJRSHrllUyJQBdqV/R3Qoaz2koeE9633jtqHDdUYKCZAgeFdic/6u9r4Rx2Nj5 JpTZU01bwvxNZPf35WbI2L+JbygR40b3FYbZ3skBqZylp+EkPGPxGpHGAxdKWeOy rzGBukIuWnLy9pmJ574oTZymw8Psvu2DJL3C
FreeBSD Security Advisory FreeBSD-SA-19:01.syscall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:01.syscallSecurity Advisory The FreeBSD Project Topic: System call kernel data register leak Category: core Module: kernel Announced: 2019-02-05 Credits:Konstantin Belousov Affects:All supported versions of FreeBSD. Corrected: 2019-02-05 17:52:06 UTC (stable/12, 12.0-STABLE) 2019-02-05 18:05:05 UTC (releng/12.0, 12.0-RELEASE-p3) 2019-02-05 17:54:02 UTC (stable/11, 11.2-STABLE) 2019-02-05 18:07:45 UTC (releng/11.2, 11.2-RELEASE-p9) CVE Name: CVE-2019-5595 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The FreeBSD/amd64 architecture defines the SYSCALL instruction for syscalls, and uses registers calling conventions for passing syscalls arguments and return values in addition to the registers usage imposed by the SYSCALL and SYSRET instructions in long mode. In particular, the arguments are passed in registers specified by the C ABI, and the content of the registers specified as caller-save, is undefined after the return from syscall. II. Problem Description The callee-save registers are used by kernel and for some of them (%r8, %r10, and for non-PTI configurations, %r9) the content is not sanitized before return from syscalls, potentially leaking sensitive information. III. Impact Typically an address of some kernel data structure used in the syscall implementation, is exposed. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10m "Rebooting for security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch # fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch.asc # gpg --verify syscall.patch.asc [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch.asc # gpg --verify syscall.patch.11.2.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r343781 releng/12.0/ r343788 stable/11/r343782 releng/11.2/ r343789 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5595> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:01.syscall.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1X9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKPZBAAlwCVtNNIuq0s8FB9LjLaVJww1WWmbVJbhw1TJyBV2yRCkWwGDLag3dJ0 EH8HwpWeL41lppjFeL6OMDZ2+wUnuShv3pAUGwodSRXsKWsp+aWqMPcNJifkVPxs DENrziUHnXkbOnbnP25eA12j0ztCz8FjKoDh+wrjuY4BL8jzBK4ZJtmYaubrFEcD GDStnEcvCNYDK8tf0rUW2lpv4oStTex5gFpZALPjq0g28kHPuctYzoOXOf9/So1i 0kwdstsIdgydsDCHv5nXij7IDohNo+5KEJuee1cIptKftmxPLuonXyP0PiO3W
FreeBSD Security Advisory FreeBSD-SA-18:15.bootpd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:15.bootpd Security Advisory The FreeBSD Project Topic: bootpd buffer overflow Category: core Module: bootpd Announced: 2018-12-19 Credits:Reno Robert Affects:All supported versions of FreeBSD. Corrected: 2018-12-19 18:17:59 UTC (stable/12, 12.0-STABLE) 2018-12-19 18:21:07 UTC (releng/12.0, 12.0-RELEASE-p1) 2018-12-19 18:19:15 UTC (stable/11, 11.2-STABLE) 2018-12-19 18:22:25 UTC (releng/11.2, 11.2-RELEASE-p7) CVE Name: CVE-2018-17161 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The bootpd utility implements an Internet Bootstrap Protocol (BOOTP) server as defined in RFC951, RFC1532, and RFC1533. II. Problem Description Due to insufficient validation of network-provided data it may be possible for a malicious attacker to craft a bootp packet which could cause a stack buffer overflow. III. Impact It is possible that the buffer overflow could lead to a Denial of Service or remote code execution. IV. Workaround Firewall rules may be used to limit reception of bootp packets to only trusted networks or hosts. Note that the bootp protocol is typically limited to a common layer 2 broadcast domain, although the bootpgw gateway can forward bootp requests and responses between subnets. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart bootpd if it is running in standalone mode. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch # fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch.asc # gpg --verify bootpd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r342228 releng/12.0/ r342230 stable/11/r348229 releng/11.2/ r342231 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17161> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:15.bootpd.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwane5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKfzg/+PhmA1AKfXFSkeJJPvdF/7hjKpWaCdVAyUZsuWH5L1Tmb4Lc/pLjw22Ba Xh/sAKik6pa/nVTZCBgAqoCqmV8CdhScwvRZdVSP5CQ9vnM+6fFcybP0aCZOmiJC NGAE8nIBdazqWJfNM9HUSIbdqEOtMlVcyE0Ni/TxzcAFdzFowfDnyRm1wqI4zhM7 YL7pU0kTYJfydjK540rHB1tNBaYHSJ/6ckK3tkjwjVgMsQwNSizKrPsqycoMlMmD TqQMfDwU8W/jFLsr7OZE66eQBysSiuzYAv3IsipL+50SYgS0aoo3LwKrCcYGN6c/ S/0SOfNHDgd/7wregI5adKqWJceaqZCVedSVLm6ZaG1Vt3alIjczX9D7wIjuXPlD AkSKa0HnmSwDC8yWLJYMxuny7vy3uBAUnPiwIT3RrsDC0b28/uwNPbeSbG0Wrf9F 21PDMfeCPc2Vr/TVj9uSIo20pNtVhy+tGbx1Ilsgi3POa3n7pTOuFWHMzQVe3rZA DLYEbliPxpq9NFJ/2UZQg25weOD5ygwaYZnbsXAMY47D4kteeQOjzomgiacVhE56 oT8z804nGgGdCe4LpiHihDVzCbBvvuEPw9Edffzm7EWykp
FreeBSD Security Advisory FreeBSD-SA-18:14.bhyve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:14.bhyve Security Advisory The FreeBSD Project Topic: Insufficient bounds checking in bhyve(8) device model Category: core Module: bhyve Announced: 2018-12-04 Credits:Reno Robert Affects:All supported versions of FreeBSD. Corrected: 2018-12-04 18:32:50 UTC (stable/11, 11.2-STABLE) 2018-12-04 18:38:32 UTC (releng/11.2, 11.2-RELEASE-p6) CVE Name: CVE-2018-17160 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The bhyve hypervisor uses the bhyve(8) program to emulate support for most virtual devices used by guest operating systems. II. Problem Description Insufficient bounds checking in one of the device models provided by bhyve(8) can permit a guest operating system to overwrite memory in the bhyve(8) processing possibly permitting arbitary code execution. III. Impact A guest OS using a firmware image can cause the bhyve process to crash, or possibly execute arbitrary code on the host as root. IV. Workaround The device model in question is only enabled when booting guests with a firmware image such as the UEFI images from the bhyve-firmware package. Guests booted using bhyveload(8) or grub2-bhyve are not affected. Guests using operating systems supported by bhyveload(8) or grub2-bhyve can be booted using these tools as a workaround. No workaround is available for guest operating systems such as Windows that require a firmware image. V. Solution Perform one of the following: Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, restart guests using firmware images. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Afterward, restart guests using firmware images. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r341486 releng/11.2/ r341488 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17160> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:14.bhyve.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGykdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKcIQ/+Ktt7+SZPoWZQmJv6LdT6qI+na0+/9LDwBoC+Tj37heFUnhcMTxDDH4o3 nexELxF1xHmRchooRKfJr7npa8CF4jBzp2PSb+783q6TrFKe90ohlmt56lRB6gJg 3IJX5TxvAvLsqTgwPyALqyy3H5C8cY3btHPsZIArK0WVRTB74K3mr3L3IRVTcMCv 9cbUZyDO21ZIDTB5h9FYGo+6bg8hvZztmromkxssqlKKS8TUltGr/H3k6EHlnEA9 rG+6kswIgyeXNFrdksD6ni7L5Z3lwR/DFiU2d/lageQZ6vgDUa3c0KMhepfelfJR AiUtGpgfCDuHZ1NV2uyr9I6nPRHhdxPy3o2bF/B7+SLdn03tcZiO0tx3Wf68EQlt jAYFuup7+TFKoupsHlb2fkQxNOeQCr6dF+ikJDVgwCqmx2zn9tDo/tWoNdH+Jylx MDKsE369HOSRGR3Ua1ELEtOEzbGbcUHJyT6I1E2poctE61hYI+5te6pasY3ReN68 vyFMAo5ey0kJ6mi2YVcvDo2ZEb/GP1noJkdquYpIm8Ko0TPtivaMHXLIPcpLiJUc fBZexGCXJnb8f6ClMMU12U6f3H35Hz1AUPG3MSWHGgoczQBZJ8PEC
FreeBSD Security Advisory FreeBSD-SA-18:13.nfs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:13.nfsSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities in NFS server code Category: core Module: nfs Announced: 2018-11-27 Credits:Jakub Jirasek, Secunia Research at Flexera Affects:All supported versions of FreeBSD. Corrected: 2018-11-23 20:41:54 UTC (stable/11, 11.2-STABLE) 2018-11-27 19:42:16 UTC (releng/11.2, 11.2-RELEASE-p5) CVE Name: CVE-2018-17157, CVE-2018-17158, CVE-2018-17159 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were local. FreeBSD includes both server and client implementations of NFS. II. Problem Description Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet. III. Impact A remote attacker could cause the NFS server to crash, resulting in a denial of service, or possibly execute arbitrary code on the server. IV. Workaround No workaround is available, but systems that do not provide NFS services are not vulnerable. Additionally, it is highly recommended the NFS service port (default port number 2049) is protected via a host or network based firewall to prevent arbitrary, untrusted clients from being able to connect. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch # fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch.asc # gpg --verify nfs.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r340854 releng/11.2/ r341088 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://www.flexerasoftware.com/enterprise/company/about/secunia-research/> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17157> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17158> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17159> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:13.nfs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n85fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKJEg//Umbe1QOUgV0Z6EsdlQffNMo9MHbAz75vCqeaibI36Ng9vmkLKGlS6nCA 5mKFS+BvM5CkekBaiQ6BR8t0xWsrFwX6JCUayQ2FsCSo4rwCZms3AIbvt68vjQAm xWuQIMJzYku5+kALtcXXvVkLhMCaioVDpZmuPCO+rY79OVM4xP1MsnTfqEZSNo+n Cz2urH4eO60YsM8w05coQ3hnOsUjTCk8yCh3+R/uYK1VouLDgD8q96T1eG2ozny6 vwEMK3AjmcpvFkTIF3/2I6TTA5K+Zd+nqzhzPM5HjbLZmdQV02NHcoGaZrK1wsQw D+3wf8icBMfLt9rTUbEqVdvg5FRDkTo8/dH1wY85gWZ2wsSgCqI2wRuqBH4bp3bb Gcf2+D4vgX6YY5cZ/wFDcYWpghhrmXUbgnH7PnyVfYB0Ufta9utgMOQKMS0mUWwM DlHP+fL/A8lhPvXIhl1DtSa/TQAiAdMG1Jwkt
FreeBSD Security Advisory FreeBSD-SA-18:12.elf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:12.elfSecurity Advisory The FreeBSD Project Topic: Improper ELF header parsing Category: core Module: kernel Announced: 2018-09-12 Credits:Thomas Barabosch, Fraunhofer FKIE; Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2018-09-12 05:02:11 UTC (stable/11, 11.1-STABLE) 2018-09-12 05:07:35 UTC (releng/11.2, 11.2-RELEASE-p3) 2018-09-12 05:07:35 UTC (releng/11.1, 11.1-RELEASE-p14) 2018-09-12 05:03:30 UTC (stable/10, 10.4-STABLE) 2018-09-12 05:07:35 UTC (releng/10.4, 10.4-RELEASE-p12) CVE Name: CVE-2018-6924 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background To execute a binary the kernel must parse the ELF header to determine the entry point address, the program interpreter, and other parameters. II. Problem Description Insufficient validation was performed in the ELF header parser, and malformed or otherwise invalid ELF binaries were not rejected as they should be. III. Impact Execution of a malicious ELF binary may result in a kernel crash or may disclose kernel memory. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch # fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch.asc # gpg --verify elf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r338605 releng/10.4/ r338606 stable/11/r338604 releng/11.1/ r338606 releng/11.2/ r338606 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6924> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:12.elf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoK9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKA+BAApeUtPHpy5mEHC8ftJ+3NZpfI8gcfuPE0dlJi6CpXq8/ruXN5Yt5X0E0l hlbNGqEMckfe3F81rCXLbtu0zeAnSBfAFcm9xSBa6aSRfP4GAZtKDKwilPqqT9F8 sOrPR/mAfxWmWcfDt8ggAx6akr2Tt48t7TiBP/kA14+CzVmp/pMU/ceFDLk8JYjY PQzVM4fHC5xeBWtA2JjMNHnhR6XMeiDOLkgeRiRW1LhB/OwWwcb0uzVixxR34mCT vFm1eJteAitoVclgnI//GkzZZ6b7SZkqyqODWKVLWXaYgb8/Z6SaKAQm2TWuHPEh nzIpPGhnXZc+36Nn9/HYDKVn3skD1sYAnTMgPcUYZH3KfkohvFdHlnoGqkcnMwTy mSKkQx9ojuLfwot7tyJCbgU/6e82ed1g9EiFZXwW8x4ePClaAvrDozz0QGwlXgyY 1jBbFp/gYznhxTetVRHo5ug5SHZgD2Ye46TCoglHX0CprhkWwpKenoCEyfyjlHXH uI+RPd46TlQfuK4bqURRpWvNWprXGqQ0ypFVW2JJgqLPBX0QS79gzqO++C8tRqQv e16mqzBGNIre/8FOCBpV/Z61NgxqeYo2ndHxc9VTMiFXK/2v3TDK9AvYZ1/xEvwC IRpC+qo870B5XT/ihC/KpYI4jgM2/pK/Mdez6Q4s5M6eeCBHAgw= =J/a5 -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-18:11.hostapd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:11.hostapdSecurity Advisory The FreeBSD Project Topic: Unauthenticated EAPOL-Key Decryption Vulnerability Category: contrib Module: wpa Announced: 2018-08-14 Credits:Mathy Vanhoef of the imec-DistriNet research group of KU Leuven Affects:All supported versions of FreeBSD. Corrected: 2018-08-15 05:03:54 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) 2018-08-15 05:05:02 UTC (stable/10, 10.4-STABLE) 2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11) CVE Name: CVE-2018-14526 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The wpa_supplicant(8) utility is a client (supplicant) with support for WPA and WPA2 (IEEE 802.11i / RSN). It is suitable for both desktop and laptop computers as well as embedded systems. Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan(4) driver. The wpa_supplicant(8) utility is designed to be a "daemon" program that runs in the background and acts as the backend component controlling the wireless connection. The wpa_supplicant(8) utility supports separate frontend programs and a text-based frontend (wpa_cli(8)) and a GUI (wpa_gui) are included with wpa_supplicant(8). II. Problem Description When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC flag set, the data field was decrypted first without verifying the MIC. When the dta field was encrypted using RC4, for example, when negotiating TKIP as a pairwise cipher, the unauthenticated but decrypted data was subsequently processed. This opened wpa_supplicant(8) to abuse by decryption and recovery of sensitive information contained in EAPOL-Key messages. See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt for a detailed description of the bug. III. Impact All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for example, the group key. IV. Workaround Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks in wpa_supplicant.conf(5) by changing 'pairwise=CCMP TKIP' to 'pariwise=CCMP'. This can also be mitigated by removing TKIP as a cipher on the AP. Systems and users who do not use WPA2 TKIP are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch # fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch.asc # gpg --verify hostapd.patch.asc [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch.asc # gpg --verify hostapd-10.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r337832 releng/10.4/ r337829 stable/11/r337831 releng/11.1/ r337828 releng/11.2/ r337828 - --
FreeBSD Security Advisory FreeBSD-SA-18:10.ip
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:10.ip Security Advisory The FreeBSD Project Topic: Resource exhaustion in IP fragment reassembly Category: core Module: inet Announced: 2018-08-14 Credits:Juha-Matti Tilli from Aalto University, Department of Communications and Networking and Nokia Bell Labs Affects:All supported versions of FreeBSD. Corrected: 2018-08-14 18:17:05 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) CVE Name: CVE-2018-6923 Special note: Due to source code differences in FreeBSD 10-stable a patch is not yet available for FreeBSD 10.4. This will follow at a later date. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Internet Protocol (IP) version 4 (IPv4) allows fragmentation of packets which are too big to traverse all the links between two end stations. Any router along the path between two end hosts may fragment packets which are larger than a link's maximum transmission unit (MTU). FreeBSD's implementation of some IPv4 protocols (such as the Transmission Control Protocol [TCP]) perform path MTU discovery to avoid the need for fragmentation. IP version 6 (IPv6) retains the concept of packet fragmentation. It changed the fragmentation operation to require that the originating end-system perform path MTU discovery and fragment packets which are too large for any MTU along the path between two end systems. While all hosts attached to the Internet are required to support fragmentation and reassembly, many hosts will encounter very few legitimate fragmented packets due to the operation of path MTU discovery. II. Problem Description A researcher has notified us of a DoS attack applicable to another operating system. While FreeBSD may not be vulnerable to that exact attack, we have identified several places where inadequate DoS protection could allow an attacker to consume system resources. It is not necessary that the attacker be able to establish two-way communication to carry out these attacks. These attacks impact both IPv4 and IPv6 fragment reassembly. III. Impact In the worst case, an attacker could send a stream of crafted fragments with a low packet rate which would consume a substantial amount of CPU. Other attack vectors allow an attacker to send a stream of crafted fragments which could consume a large amount of CPU or all available mbuf clusters on the system. These attacks could temporarily render a system unreachable through network interfaces or temporarily render a system unresponsive. The effects of the attack should clear within 60 seconds after the attack stops. IV. Workaround Disable fragment reassembly, using these commands: % sysctl net.inet.ip.maxfragpackets=0 % sysctl net.inet6.ip6.maxfrags=0 On systems compiled with VIMAGE, these sysctls will need to be executed for each VNET. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release or security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch # fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch.asc # gpg --verify ip.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - -
FreeBSD Security Advisory FreeBSD-SA-18:09.l1tf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:09.l1tf Security Advisory The FreeBSD Project Topic: L1 Terminal Fault (L1TF) Kernel Information Disclosure Category: core Module: Kernel Announced: 2018-08-14 Affects:All supported versions of FreeBSD. Corrected: 2018-08-14 17:51:12 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) CVE Name: CVE-2018-3620, CVE-2018-3646 Special Note: Speculative execution vulnerability mitigation remains a work in progress. This advisory addresses the issue in FreeBSD 11.1 and later. We expect to update this advisory to include 10.4 at a later time. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background When a program accesses data in memory via a logical address it is translated to a physical address in RAM by the CPU. Accessing an unmapped logical address results in what is known as a terminal fault. II. Problem Description On certain Intel 64-bit x86 systems there is a period of time during terminal fault handling where the CPU may use speculative execution to try to load data. The CPU may speculatively access the level 1 data cache (L1D). Data which would otherwise be protected may then be determined by using side channel methods. This issue affects bhyve on FreeBSD/amd64 systems. III. Impact An attacker executing user code, or kernel code inside of a virtual machine, may be able to read secret data from the kernel or from another virtual machine. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch.asc # gpg --verify l1tf-11.2.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch.asc # gpg --verify l1tf-11.1.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details CVE-2018-3620 (L1 Terminal Fault-OS) - FreeBSD reserves the the memory page at physical address 0, so it will not contain secret data. FreeBSD zeros the paging data structures for unmapped addresses, so that speculatively executed L1 Terminal Faults will access only the reserved, unused page. CVE-2018-3646 (L1 Terminal Fault-VMM) - - Patched systems flush the L1 data cache prior to guest entry, so that there is no secret data in cache for a terminal fault (from the the guest) to access. The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r337794 releng/11.1/ r337828 releng/11.2/ r337828 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References More information on L1 Terminal Fault is available at: https://cve.mitre.o
FreeBSD Security Advisory FreeBSD-SA-18:08.tcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:08.tcpSecurity Advisory The FreeBSD Project Topic: Resource exhaustion in TCP reassembly Category: core Module: inet Announced: 2018-08-06 Credits:Juha-Matti Tilli from Aalto University, Department of Communications and Networking and Nokia Bell Labs Affects:All supported versions of FreeBSD. Corrected: 2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) 2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE) 2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11) CVE Name: CVE-2018-6922 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2018-08-06 Initial release. v1.1 2018-08-14 Fixed documentation date in manual pages. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. To transmit a stream of data, TCP breaks the data stream into segments for transmission through the Internet, and reassembles the segments at the receiving side to recreate the data stream. II. Problem Description One of the data structures that holds TCP segments uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue. III. Impact An attacker who has the ability to send TCP traffic to a victim system can degrade the victim system's network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost. IV. Workaround As a workaround, system administrators should configure their systems to only accept TCP connections from trusted end-stations, if it is possible to do so. For systems which must accept TCP connections from untrusted end-stations, the workaround is to limit the size of each reassembly queue. The capability to do that is added by the patches noted in the "Solution" section below. V. Solution As a temporary solution to this problem, these patches limit the size of each TCP connection's reassembly queue. The value is controlled by a sysctl (net.inet.tcp.reass.maxqueuelen), which sets the maximum number of TCP segments that can be outstanding on a session's reassembly queue. This value defaults to 100. Note that setting this value too low could impact the throughput of TCP connections which experience significant loss or reordering. However, the higher this number is set, the more resources can be consumed on TCP reassembly processing. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch.asc # gpg --verify tcp-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc # gpg --verify tcp-11.patch.asc [*** v1.1 NOTE ***] Patchsets are provided for completeness, it have little impact to runtime behavior. [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch.asc # gpg --verify tcp-man-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch.asc # gpg --verify tcp-man-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reb
FreeBSD Security Advisory FreeBSD-SA-18:08.tcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:08.tcpSecurity Advisory The FreeBSD Project Topic: Resource exhaustion in TCP reassembly Category: core Module: inet Announced: 2018-08-06 Credits:Juha-Matti Tilli from Aalto University, Department of Communications and Networking and Nokia Bell Labs Affects:All supported versions of FreeBSD. Corrected: 2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE) 2018-08-06 17:47:47 UTC (releng/11.2, 11.2-RELEASE-p1) 2018-08-06 17:48:46 UTC (releng/11.1, 11.1-RELEASE-p12) 2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE) 2018-08-06 17:50:40 UTC (releng/10.4, 10.4-RELEASE-p10) CVE Name: CVE-2018-6922 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. To transmit a stream of data, TCP breaks the data stream into segments for transmission through the Internet, and reassembles the segments at the receiving side to recreate the data stream. II. Problem Description One of the data structures that holds TCP segments uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue. III. Impact An attacker who has the ability to send TCP traffic to a victim system can degrade the victim system's network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost. IV. Workaround As a workaround, system administrators should configure their systems to only accept TCP connections from trusted end-stations, if it is possible to do so. For systems which must accept TCP connections from untrusted end-stations, the workaround is to limit the size of each reassembly queue. The capability to do that is added by the patches noted in the "Solution" section below. V. Solution As a temporary solution to this problem, these patches limit the size of each TCP connection's reassembly queue. The value is controlled by a sysctl (net.inet.tcp.reass.maxqueuelen), which sets the maximum number of TCP segments that can be outstanding on a session's reassembly queue. This value defaults to 100. Note that setting this value too low could impact the throughput of TCP connections which experience significant loss or reordering. However, the higher this number is set, the more resources can be consumed on TCP reassembly processing. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch.asc # gpg --verify tcp-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc # gpg --verify tcp-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r337392 releng/10.4/ r337389 stable/11/r337391 releng/11.1/ r337388 releng/11.2/
FreeBSD Security Advisory FreeBSD-SA-18:07.lazyfpu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:07.lazyfpuSecurity Advisory The FreeBSD Project Topic: Lazy FPU State Restore Information Disclosure Category: core Module: kernel Announced: 2018-06-21 Credits:Julian Stecklina from Amazon Germany Thomas Prescher from Cyberus Technology GmbH Zdenek Sojka from SYSGO AG Colin Percival Affects:All supported version of FreeBSD. Corrected: 2018-06-14 18:50:49 UTC (stable/11, 11.2-PRERELEASE) 2018-06-15 13:21:37 UTC (releng/11.2, 11.2-RC3) 2018-06-21 05:17:13 UTC (releng/11.1, 11.1-RELEASE-p11) CVE Name: CVE-2018-3665 Special Note: This advisory only addresses this issue for FreeBSD 11.x on i386 and amd64. We expect to update this advisory to include 10.x in the near future. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Modern CPUs have a floating point unit (FPU) which needs to maintain state per thread. One technique is to only save and to only restore the FPU state for a thread when a thread attempts to utilize the FPU. This technique is called Lazy FPU state restore. II. Problem Description A subset of Intel processors can allow a local thread to infer data from another thread through a speculative execution side channel when Lazy FPU state restore is used. III. Impact Any local thread can potentially read FPU state information from other threads running on the host. This could include cryptographic keys when the AES-NI CPU feature is present. IV. Workaround No workaround is available, but non-Intel branded CPUs are not believed to be vulnerable. V. Solution The patch changes from Lazy FPU state restore to Eager FPU state restore. This new technique is the recommended practice from Intel and in some cases can actually increase performance, depending on workload. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:07/lazyfpu-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:07/lazyfpu-11.patch.asc # gpg --verify lazyfpu-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r335169 releng/11.2/ r335196 releng/11.1/ r335465 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3665> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:07.lazyfpu.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlsrN1hfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJTLA/+Kt7QLkNCVudaiE+d+VMuC2f1aGhqoyd+36xL9rNsn2ShZhIo+gq1dhXn 2lJiOYCPN5cJkasj1YdP2bSIv25nTcFM
FreeBSD Security Advisory FreeBSD-SA-18:06.debugreg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:06.debugreg Security Advisory The FreeBSD Project Topic: Mishandling of x86 debug exceptions Category: core Module: kernel Announced: 2018-05-08 Credits:Nick Peterson, Everdox Tech LLC https://www.linkedin.com/in/everdox Andy Lutomirski Affects:All supported versions of FreeBSD. Corrected: 2018-05-08 17:03:33 UTC (stable/11, 11.2-PRERELEASE) 2018-05-08 17:12:10 UTC (releng/11.1, 11.1-RELEASE-p10) 2018-05-08 17:05:39 UTC (stable/10, 10.4-STABLE) 2018-05-08 17:12:10 UTC (releng/10.4, 10.4-RELEASE-p9) CVE Name: CVE-2018-8897 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background On x86 architecture systems, the stack is represented by the combination of a stack segment and a stack pointer, which must remain in sync for proper operation. Instructions related to manipulating the stack segment have special handling to facilitate consistency with changes to the stack pointer. II. Problem Description The MOV SS and POP SS instructions inhibit debug exceptions until the instruction boundary following the next instruction. If that instruction is a system call or similar instruction that transfers control to the operating system, the debug exception will be handled in the kernel context instead of the user context. III. Impact An authenticated local attacker may be able to read sensitive data in kernel memory, control low-level operating system functions, or may panic the system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, using either a binary or source code patch, and then reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.11.1.patch # fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.11.1.patch.asc # gpg --verify debugreg.11.1.patch.asc [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.10.4.patch # fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.10.4.patch.asc # gpg --verify debugreg.10.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile and install your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r70 releng/10.4/ r71 stable/11/r69 releng/11.1/ r71 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:06.debugreg.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrx3HhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK/jhAAmPPCFZRMvbyG0VBCBqo5COFZ/32IMOWFDGMlsSi+CEgcGM51SzYZi97c zsT/2RgMsvBdggk41wvXqp1gKxgIbJe22af7l+D18e6rDEesueJqSiizcHmfGQul X
FreeBSD Security Advisory FreeBSD-SA-18:05.ipsec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:05.ipsec Security Advisory The FreeBSD Project Topic: ipsec crash or denial of service Category: core Module: ipsec Announced: 2018-04-04 Credits:Maxime Villard Affects:All supported versions of FreeBSD. Corrected: 2018-01-31 09:24:48 UTC (stable/11, 11.1-STABLE) 2018-04-04 05:37:52 UTC (releng/11.1, 11.1-RELEASE-p9) 2018-01-31 09:26:28 UTC (stable/10, 10.4-STABLE) 2018-04-04 05:37:52 UTC (releng/10.4, 10.4-RELEASE-p8) 2018-04-04 05:37:52 UTC (releng/10.3, 10.3-RELEASE-p29) CVE Name: CVE-2018-6918 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The IPsec suite of protocols provide network level security for IPv4 and IPv6 packets. FreeBSD includes software originally developed by the KAME project which implements the various protocols that make up IPsec. In IPsec, the IP Authentication Header (AH) is used to provide protection against replay attacks and connectionless integrity and data origin authentication for IP datagrams. II. Problem Description The length field of the option header does not count the size of the option header itself. This causes a problem when the length is zero, the count is then incremented by zero, which causes an infinite loop. In addition there are pointer/offset mistakes in the handling of IPv4 options. III. Impact A remote attacker who is able to send an arbitrary packet, could cause the remote target machine to crash. IV. Workaround No workaround is available. Note that in FreeBSD 10 IPsec is not included in the kernel by default, but it is in FreeBSD 11. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:05/ipsec.patch # fetch https://security.FreeBSD.org/patches/SA-18:05/ipsec.patch.asc # gpg --verify ipsec.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r328621 releng/10.3/ r331985 releng/10.4/ r331985 stable/11/r328620 releng/11.1/ r331985 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6918> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZuRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKpOxAAlcyr88qHimXmMWNelNe+RvNkRoQwlmOw5XCWmWFGt4bX6KyrPSNVkZXK 9bZr0+sYiEjHPstXy+F6v95wqShRiefwpLVNJkP6LFKdQJeuxy0Uwsgl/i3aZVHy q4iM+PgnMwt5FxzmIcFHjwZSGGaOw5p9dMlkFLxXQ6chafPutMbgkXMIGVGXEp4e iwQgmh7j5LbUED0P9G7sYpcEN+DKZLW
FreeBSD Security Advisory FreeBSD-SA-18:04.vt
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:04.vt Security Advisory The FreeBSD Project Topic: vt console memory disclosure Category: core Module: vt console Announced: 2018-04-04 Credits:Dr Silvio Cesare of InfoSect Affects:All supported versions of FreeBSD. Corrected: 2018-04-04 05:24:59 UTC (stable/11, 11.1-STABLE) 2018-04-04 05:33:56 UTC (releng/11.1, 11.1-RELEASE-p9) 2018-04-04 05:26:33 UTC (stable/10, 10.4-STABLE) 2018-04-04 05:33:56 UTC (releng/10.4, 10.4-RELEASE-p8) 2018-04-04 05:33:56 UTC (releng/10.3, 10.3-RELEASE-p29) CVE Name: CVE-2018-6917 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background On FreeBSD 11 and later, and FreeBSD 10.x systems that boot via UEFI, the default system video console is provided by the vt(4) driver. The console allows the user, including an unprivileged user, to load a font at runtime. II. Problem Description Insufficient validation of user-provided font parameters can result in an integer overflow, leading to the use of arbitrary kernel memory as glyph data. Characters that reference this data can be displayed on the screen, effectively disclosing kernel memory. III. Impact Unprivileged users may be able to access privileged kernel data. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password. IV. Workaround The syscons sc(4) system console is not affected by this issue and may be used on systems that do not boot via UEFI. To use the syscons console, set the kern.vty tunable in /boot/loader.conf as described in sc(4), and reboot. No workaround is available for systems that boot via UEFI. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is required after the upgrade. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:04/vt.patch # fetch https://security.FreeBSD.org/patches/SA-18:04/vt.patch.asc # gpg --verify vt.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r331983 releng/10.3/ r331984 releng/10.4/ r331984 stable/11/r331982 releng/11.1/ r331984 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6917> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:04.vt.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZttfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cI5CBAAmZS+2l3qNafZ0FQDKONeX+j
FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:03.speculative_execution Security Advisory The FreeBSD Project Topic: Speculative Execution Vulnerabilities Category: core Module: kernel Announced: 2018-03-14 Credits:Jann Horn (Google Project Zero); Werner Haas, Thomas Prescher (Cyberus Technology); Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology); Paul Kocher; Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus); Yuval Yarom (University of Adelaide and Data6) Affects:All supported versions of FreeBSD. Corrected: 2018-02-17 18:00:01 UTC (stable/11, 11.1-STABLE) 2018-03-14 04:00:00 UTC (releng/11.1, 11.1-RELEASE-p8) CVE Name: CVE-2017-5715, CVE-2017-5754 Special Note: Speculative execution vulnerability mitigation is a work in progress. This advisory addresses the most significant issues for FreeBSD 11.1 on amd64 CPUs. We expect to update this advisory to include 10.x for amd64 CPUs. Future FreeBSD releases will address this issue on i386 and other CPUs. freebsd-update will include changes on i386 as part of this update due to common code changes shared between amd64 and i386, however it contains no functional changes for i386 (in particular, it does not mitigate the issue on i386). For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background Many modern processors have implementation issues that allow unprivileged attackers to bypass user-kernel or inter-process memory access restrictions by exploiting speculative execution and shared resources (for example, caches). II. Problem Description A number of issues relating to speculative execution were found last year and publicly announced January 3rd. Two of these, known as Meltdown and Spectre V2, are addressed here. CVE-2017-5754 (Meltdown) - This issue relies on an affected CPU speculatively executing instructions beyond a faulting instruction. When this happens, changes to architectural state are not committed, but observable changes may be left in micro- architectural state (for example, cache). This may be used to infer privileged data. CVE-2017-5715 (Spectre V2) - -- Spectre V2 uses branch target injection to speculatively execute kernel code at an address under the control of an attacker. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility, followed by a reboot into the new kernel: # freebsd-update fetch # freebsd-update install # shutdown -r now 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:03/speculative_execution-amd64-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:03/speculative_execution-amd64-11.patch.asc # gpg --verify speculative_execution-amd64-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details CVE-2017-5754 (Meltdown) - The mitigation is known as Page Table Isolation (PTI). PTI largely separates kernel and user mode page tables, so that even during speculative execution most of the kernel's data is unmapped and not accessible. A demonstration of the Meltdown vulnerability is available at https://github.com/dag-erling/meltdown. A positive result is definitive (that is, the vulnerability exists with certainty). A negative result indicates either that the CPU is not affected, or that the test is not capable of demonstr
FreeBSD Security Advisory FreeBSD-SA-18:01.ipsec [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:01.ipsec [REVISED]Security Advisory The FreeBSD Project Topic: ipsec validation and use-after-free Category: core Module: ipsec Announced: 2018-03-07 Credits:Maxime Villard Affects:All supported versions of FreeBSD. Corrected: 2018-02-24 13:04:02 UTC (stable/11, 11.1-STABLE) 2018-03-07 05:53:35 UTC (releng/11.1, 11.1-RELEASE-p7) 2018-03-07 16:55:15 UTC (stable/10, 10.4-STABLE) 2018-03-07 17:16:41 UTC (releng/10.4, 10.4-RELEASE-p7) 2018-03-07 17:16:41 UTC (releng/10.3, 10.3-RELEASE-p28) CVE Name: CVE-2018-6916 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. 0. Revision History v1.0 2018-03-07 Initial release. v1.1 2018-03-08 Correct patch for 10.x releases. I. Background The IPsec suite of protocols provide network level security for IPv4 and IPv6 packets. FreeBSD includes software originally developed by the KAME project which implements the various protocols that make up IPsec. In IPsec, the IP Authentication Header (AH) is used to provide protection against replay attacks and connectionless integrity and data origin authentication for IP datagrams. II. Problem Description Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash. Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results. III. Impact Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results. IV. Workaround No workaround is available, but systems not using IPsec are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. And reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. [*** v1.1 NOTE ***] If your 10.x sources were already patched using the initially published advisory patches, you need to apply the ipsec-10.rev1.patch. If you had not yet patched your 10.x sources, you need only apply the ipsec-10.patch file. 11.1 sources were correct in the initial release and do not need to be updated. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x system not patched with the original SA-18:01 patch] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch.asc # gpg --verify ipsec-10.patch.asc [FreeBSD 10.x that had been patched with the original SA-18:01 patch] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.rev1.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.rev1.patch.asc # gpg --verify ipsec-10.rev1.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch.asc # gpg --verify ipsec-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r330609 releng/10.3/ r330611 releng/10.4/ r330611 stable/11/r329907 releng/11.1/ r330566 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.f
FreeBSD Security Advisory FreeBSD-SA-18:01.ipsec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:01.ipsec Security Advisory The FreeBSD Project Topic: ipsec validation and use-after-free Category: core Module: ipsec Announced: 2018-03-07 Credits:Maxime Villard Affects:All supported versions of FreeBSD. Corrected: 2018-02-24 13:04:02 UTC (stable/11, 11.1-STABLE) 2018-03-07 05:53:35 UTC (releng/11.1, 11.1-RELEASE-p7) 2018-03-07 05:47:48 UTC (stable/10, 10.4-STABLE) 2018-03-07 05:53:35 UTC (releng/10.4, 10.4-RELEASE-p6) 2018-03-07 05:53:35 UTC (releng/10.3, 10.3-RELEASE-p27) CVE Name: CVE-2018-6916 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The IPsec suite of protocols provide network level security for IPv4 and IPv6 packets. FreeBSD includes software originally developed by the KAME project which implements the various protocols that make up IPsec. In IPsec, the IP Authentication Header (AH) is used to provide protection against replay attacks and connectionless integrity and data origin authentication for IP datagrams. II. Problem Description Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash. Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results. III. Impact Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results. IV. Workaround No workaround is available, but systems not using IPsec are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. And reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch.asc # gpg --verify ipsec-10.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch.asc # gpg --verify ipsec-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r330565 releng/10.3/ r330566 releng/10.4/ r330566 stable/11/r329907 releng/11.1/ r330566 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6916> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:01.ipsec.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhClfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cISCQ//f9bjAzuou4wlbaoVBp+csfE8qwJl0PJAs/guwO9dO/TMLrVzJ+oNtAIR VO6T7j2uC/eLD80PFsGoTpDAm4O1gqcGGX4OZm/6rE/OdqC3/
FreeBSD Security Advisory FreeBSD-SA-17:12.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:12.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2017-12-09 Affects:All supported versions of FreeBSD. Corrected: 2017-12-07 18:04:48 UTC (stable/11, 11.1-STABLE) 2017-12-09 03:44:26 UTC (releng/11.1, 11.1-RELEASE-p6) 2017-12-09 03:41:31 UTC (stable/10, 10.4-STABLE) 2017-12-09 03:45:23 UTC (releng/10.4, 10.4-RELEASE-p5) 2017-12-09 03:45:23 UTC (releng/10.3, 10.3-RELEASE-p26) CVE Name: CVE-2017-3737, CVE-2017-3738 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a full-strength general purpose cryptography library. II. Problem Description Invoking SSL_read()/SSL_write() while in an error state causes data to be passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. [CVE-2017-3737] There is an overflow bug in the x86_64 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). [CVE-2017-3738] This bug only affects FreeBSD 11.x. III. Impact Applications with incorrect error handling may inappropriately pass unencrypted data. [CVE-2017-3737] Mishandling of carry propagation will produce incorrect output, and make it easier for a remote attacker to obtain sensitive private-key information. No EC algorithms are affected and analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. [CVE-2017-3738] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all daemons that use the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons that use the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-11.patch # fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-11.patch.asc # gpg --verify openssl-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r326
FreeBSD Security Advisory FreeBSD-SA-17:10.kldstat [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:10.kldstatSecurity Advisory The FreeBSD Project Topic: Information leak in kldstat(2) Category: core Module: kernel Announced: 2017-11-15 Credits:Ilja van Sprundel TJ Corley Affects:All supported versions of FreeBSD. Corrected: 2017-11-15 22:34:15 UTC (stable/11, 11.1-STABLE) 2017-11-15 22:49:47 UTC (releng/11.1, 11.1-RELEASE-p4) 2017-11-15 22:50:20 UTC (releng/11.0, 11.0-RELEASE-p15) 2017-11-15 22:35:16 UTC (stable/10, 10.4-STABLE) 2017-11-15 22:50:47 UTC (releng/10.4, 10.4-RELEASE-p3) 2017-11-15 22:51:08 UTC (releng/10.3, 10.3-RELEASE-p24) CVE Name: CVE-2017-1088 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. 0. Revision history v1.0 2017-11-15 Initial release. v1.1 2017-11-20 Corrected credit. Ilja van Sprundel first reported the issue to the project, but wasn't cited. The FreeBSD Security Team apologizes to Ilja for this oversight. I. Background The kldstat(2) syscall provides information about loaded kld files. The syscall takes a userland argument of struct kld_file_stat which is then filled with data about the kld file requested. II. Problem Description The kernel does not properly clear the memory of the kld_file_stat structure before filling the data. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information from the kernel stack is possible. III. Impact Some bytes from the kernel stack can be observed in userspace. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch # fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch.asc # gpg --verify kldstat.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r325867 releng/10.3/ r325878 releng/10.4/ r325877 stable/11/r325866 releng/11.0/ r325876 releng/11.1/ r325875 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1088> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:10.kldstat.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloToOxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P audl/RAAkPqcGvCMAHucBtZH2sySvM/1L1NTl0I61eJaDqgnjooo3hRq5J/dlNlt zo48o2W0EOnr8QWJhVg1oADY5qxBVm8RldpAH1Y7lU1Pk1gw6buTvmlat9Y0TaRm i3WCYe/yzC9X50x12dSu2QCeir+HDHr
FreeBSD Security Advisory FreeBSD-SA-17:10.kldstat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:10.kldstatSecurity Advisory The FreeBSD Project Topic: Information leak in kldstat(2) Category: core Module: kernel Announced: 2017-11-15 Credits:TJ Corley Affects:All supported versions of FreeBSD. Corrected: 2017-11-15 22:34:15 UTC (stable/11, 11.1-STABLE) 2017-11-15 22:49:47 UTC (releng/11.1, 11.1-RELEASE-p4) 2017-11-15 22:50:20 UTC (releng/11.0, 11.0-RELEASE-p15) 2017-11-15 22:35:16 UTC (stable/10, 10.4-STABLE) 2017-11-15 22:50:47 UTC (releng/10.4, 10.4-RELEASE-p3) 2017-11-15 22:51:08 UTC (releng/10.3, 10.3-RELEASE-p24) CVE Name: CVE-2017-1088 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The kldstat(2) syscall provides information about loaded kld files. The syscall takes a userland argument of struct kld_file_stat which is then filled with data about the kld file requested. II. Problem Description The kernel does not properly clear the memory of the kld_file_stat structure before filling the data. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information from the kernel stack is possible. III. Impact Some bytes from the kernel stack can be observed in userspace. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch # fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch.asc # gpg --verify kldstat.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r325867 releng/10.3/ r325878 releng/10.4/ r325877 stable/11/r325866 releng/11.0/ r325876 releng/11.1/ r325875 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1088> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:10.kldstat.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxhRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P audjZhAA29uguakBjkQtnAlWceN0BOQlkp03iYQh61dFpdH98f7RQcr5cq77XKrM pkONtdEVbZNF9g6sly6n9dq5ivAuC9K1KGPtylMcPzHLTzDtV1B13vk2iwwgqkZ7 GgB+m305kcL85knaASn3PBYwKTKzGOrhZFUZuTTI4VAnbbEmIwTHnJlVHvNwFDIj je1XxdDBr4jq7SdCZH8YW9LZAMDi9b+0hg72u20ZQ66uNeadxN4i9DuWtMeHJHb7 2aZRtHhdw4imryUpHM4FnCp5zp9V87Gyv4wy7IrkOKYtbl4nWqxqVakL7T9yVmY5 Q4cGqreYq8bF2aM3LyT26VmDfMOovovHJpCRHf9fvlIMj6ajS39FKWMkEeU23ykg EiTNk090h/G3REWiPnWjbxt8VGnFGyLe3K1VQqUvS+LlQ4lc45WCJnEHcpbvXT/E TNTQ/85nE4BklV1d
FreeBSD Security Advisory FreeBSD-SA-17:09.shm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:09.shmSecurity Advisory The FreeBSD Project Topic: POSIX shm allows jails to access global namespace Category: core Module: shm Announced: 2017-11-15 Credits:Whitewinterwolf Affects:FreeBSD 10.x Corrected: 2017-11-13 23:21:17 UTC (stable/10, 10.4-STABLE) 2017-11-15 22:45:50 UTC (releng/10.4, 10.4-RELEASE-p3) 2017-11-15 22:45:13 UTC (releng/10.3, 10.3-RELEASE-p24) CVE Name: CVE-2017-1087 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background POSIX shared memory objects allow realtime inter-process communication by sharing a memory area through the use of a named path (see shm_open(2)). This is used by some multi-process applications to share data between running processes, such as a common cache or to implement a producer-consumer model where several worker processes handle requests pushed by a producer process. II. Problem Description Named paths are globally scoped, meaning a process located in one jail can read and modify the content of POSIX shared memory objects created by a process in another jail or the host system. III. Impact A malicious user that has access to a jailed system is able to abuse shared memory by injecting malicious content in the shared memory region. This memory region might be executed by applications trusting the shared memory, like Squid. This issue could lead to a Denial of Service or local privilege escalation. IV. Workaround No workaround is available, but systems without jails or jails not having local users are not vulnerable. V. Solution 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot the system for the update to take effect. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot the system for the update to take effect. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.4, FreeBSD 10-STABLE] # fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch.asc # gpg --verify shm-10.patch.asc [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch # fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch.asc # gpg --verify shm-10.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r325783 releng/10.3/ r325873 releng/10.4/ r325874 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1087> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:09.shm.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxg1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P auciExAAhd9IcZrWpAqjKSGQWHrG7wJxrbCyyVVmZeoVQYQCihXJOnp+mhmVoJp5 zvyjIBG23F/dR8ukRO/LnqzM2bhCj7OcijlvZboH3L4os8iIeB2Tc6k9YlnFQeij wYK0CNnQjECf5S4OIBmQ+irpBYATZKk2EEDdmKDltcauSlIhJIzUedGdmMySOFzl jpx3+dHNb+D9v4luOgvF3mVTYPpjYmJ2HIYel3m0X
FreeBSD Security Advisory FreeBSD-SA-17:08.ptrace
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:08.ptrace Security Advisory The FreeBSD Project Topic: Kernel data leak via ptrace(PT_LWPINFO) Category: core Module: ptrace Announced: 2017-11-15 Credits:John Baldwin Affects:All supported versions of FreeBSD. Corrected: 2017-11-10 12:28:43 UTC (stable/11, 11.1-STABLE) 2017-11-15 22:39:41 UTC (releng/11.1, 11.1-RELEASE-p4) 2017-11-15 22:40:15 UTC (releng/11.0, 11.0-RELEASE-p15) 2017-11-10 12:31:58 UTC (stable/10, 10.4-STABLE) 2017-11-15 22:40:32 UTC (releng/10.4, 10.4-RELEASE-p3) 2017-11-15 22:40:46 UTC (releng/10.3, 10.3-RELEASE-p24) CVE Name: CVE-2017-1086 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The ptrace(2) syscall provides the facility for a debugger to control the execution of the target process and to obtain necessary status information about it. The struct ptrace_lwpinfo structure is reported by one of the ptrace(2) subcommand and contains a lot of the information about the stopped thread (light-weight process or LWP, thus the name). II. Problem Description Not all information in the struct ptrace_lwpinfo is relevant for the state of any thread, and the kernel does not fill the irrelevant bytes or short strings. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information of the kernel stack of the thread is possible from the debugger. III. Impact Some bytes from the kernel stack of the thread using ptrace(PT_LWPINFO) call can be observed in userspace. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:08/ptrace.patch # fetch https://security.FreeBSD.org/patches/SA-17:08/ptrace.patch.asc # gpg --verify ptrace.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r325643 releng/10.3/ r325871 releng/10.4/ r325870 stable/11/r325642 releng/11.0/ r325869 releng/11.1/ r325868 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1086> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:08.ptrace.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxftfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P audQ+hAA2+cjqNVUJ/Polwo9cu61QxKLEXO1DItlMIFWBxpFpXXlRSLbqH+RGmaO 6aR4Q1xcOnLm8e57KcLFppl77uOZyO0IJ0lyK6P30ouSxuYIW3aHbW+p3pVYBE+J aqF3mNxSh9xQRgXvxUB/CM3w/SMKkxX
FreeBSD Security Advisory FreeBSD-SA-17:04.ipfilter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:04.ipfilter Security Advisory The FreeBSD Project Topic: ipfilter(4) fragment handling panic Category: contrib Module: ipfilter Announced: 2017-04-27 Credits:Cy Schubert Affects:All supported versions of FreeBSD. Corrected: 2017-04-21 01:51:49 UTC (stable/11, 11.0-STABLE) 2017-04-27 06:52:30 UTC (releng/11.0, 11.0-RELEASE-p10) 2017-04-21 01:51:49 UTC (stable/10, 10.3-STABLE) 2017-04-27 06:52:30 UTC (releng/10.3, 10.3-RELEASE-p19) CVE Name: CVE-2017-1081 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background IP Filter, also known as ipfilter(4), is a cross-platform, open source packet filter (firewall) originally written for BSD operating systems, including FreeBSD, NetBSD, and OpenBSD, and for Solaris. ipfilter(4) is one of three firewalls included in FreeBSD (the others being ipfw(4) and pf(4)). It performs firewall and NAT functions using the pfil(9) framework as do the other firewalls in FreeBSD in the kernel. II. Problem Description ipfilter(4), capable of stateful packet inspection, using the "keep state" or "keep frags" rule options, will not only maintain the state of connections, such as TCP streams or UDP communication, it also maintains the state of fragmented packets. When a packet fragments are received they are cached in a hash table (and linked list). When a fragment is received it is compared with fragments already cached in the hash table for a match. If it does not match the new entry is used to create a new entry in the hash table. If on the other hand it does match, unfortunately the wrong entry is freed, the entry in the hash table. This results in use after free panic (and for a brief moment prior to the panic a memory leak due to the wrong entry being freed). III. Impact Carefully feeding fragments that are allowed to pass by an ipfilter(4) firewall can be used to cause a panic followed by reboot loop denial of service attack. IV. Workaround No workaround is available, but systems not using ipfilter(4) are not vulnerable. A default installation doesn't enable ipfilter(4). ipfilter(4) configurations not using "keep state" pr "keep frags" are not vulnerable. Users may be able to temporarily replace stateful inspection with stateless rules however this is not as secure as stateful inspection. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reload the ipl.ko kernel module or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reload the ipl.ko kernel module or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:04/ipfilter.patch # fetch https://security.FreeBSD.org/patches/SA-17:04/ipfilter.patch.asc # gpg --verify ipfilter.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system or reload the ipl.ko kernel module. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r317241 releng/10.3/ r317487 stable/11/r317241 releng/11.0/ r317487 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revi
FreeBSD Security Advisory FreeBSD-SA-17:03.ntp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:03.ntpSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2017-04-12 Credits:Network Time Foundation Affects:All supported versions of FreeBSD. Corrected: 2017-03-28 04:48:17 UTC (stable/11, 11.0-STABLE) 2017-04-12 06:24:35 UTC (releng/11.0, 11.0-RELEASE-p9) 2017-03-28 04:48:55 UTC (stable/10, 10.3-STABLE) 2017-04-12 06:24:35 UTC (releng/10.3, 10.3-RELEASE-p18) CVE Name: CVE-2017-6464, CVE-2017-6462, CVE-2017-6463, CVE-2016-9042 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6464] A vulnerability was found in NTP, in the parsing of packets from the DPTS Clock. [CVE-2017-6462] A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6463] A vulnerability was found in NTP, affecting the origin timestamp check function. [CVE-2016-9042] III. Impact A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. [CVE-2017-6463, CVE-2017-6464] A malicious device could send crafted messages, causing ntpd to crash. [CVE-2017-6462] An attacker able to spoof messages from all of the configured peers could send crafted packets to ntpd, causing later replies from those peers to be discarded, resulting in denial of service. [CVE-2016-9042] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Network administrators are advised to implement BCP-38, which helps to reduce the risk associated with these attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.0] # fetch https://security.FreeBSD.org/patches/SA-17:03/ntp-11.0.patch.xz # fetch https://security.FreeBSD.org/patches/SA-17:03/ntp-11.0.patch.xz.asc # gpg --verify ntp-11.0.patch.xz.asc [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/SA-17:03/ntp-10.3.patch.xz # fetch https://security.FreeBSD.org/patches/SA-17:03/ntp-10.3.patch.xz.asc # gpg --verify ntp-10.3.patch.xz.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r316069 releng/10.3/ r316722 stable/11/r316068 releng/11.0/ r316722 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9042> <
FreeBSD Security Advisory FreeBSD-SA-17:02.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:02.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2017-02-23 Affects:All supported versions of FreeBSD. Corrected: 2017-01-26 19:14:14 UTC (stable/11, 11.0-STABLE) 2017-02-23 07:11:48 UTC (releng/11.0, 11.0-RELEASE-p8) 2017-01-27 07:45:06 UTC (stable/10, 10.3-STABLE) 2017-02-23 07:12:18 UTC (releng/10.3, 10.3-RELEASE-p16) CVE Name: CVE-2016-7055, CVE-2017-3731, CVE-2017-3732 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. [CVE-2017-3731] There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. [CVE-2017-3732] Montgomery multiplication may produce incorrect results. [CVE-2016-7055] III. Impact A remote attacker may trigger a crash on servers or clients that supported RC4-MD5. [CVE-2017-3731] A remote attacker may be able to deduce information about a private key, but that would require enormous amount of resources. [CVE-2017-3732, CVE-2016-7055] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all daemons that use the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons that use the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.0] # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-11.patch # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-11.patch.asc # gpg --verify openssl-11.patch.asc [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r312863 releng/10.3/ r314125 stable/11/r312826 releng/11.0/ r314126 - - To see which file
FreeBSD Security Advisory FreeBSD-SA-17:01.openssh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:01.opensshSecurity Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: OpenSSH Announced: 2017-01-11 Affects:All supported versions of FreeBSD. Corrected: 2017-01-11 05:56:40 UTC (stable/11, 11.0-STABLE) 2017-01-11 06:01:23 UTC (releng/11.0, 11.0-RELEASE-p7) 2017-01-11 05:56:40 UTC (stable/10, 10.3-STABLE) 2017-01-11 06:01:23 UTC (releng/10.3, 10.3-RELEASE-p16) CVE Name: CVE-2016-10009, CVE-2016-10010 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. OpenSSH supports accessing keys provided by a PKCS#11 token. II. Problem Description The ssh-agent(1) agent supports loading a PKCS#11 module from outside a trusted whitelist. An attacker can request loading of a PKCS#11 module across forwarded agent-socket. [CVE-2016-10009] When privilege separation is disabled, forwarded Unix domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. [CVE-2016-10010] III. Impact A remote attacker who have control of a forwarded agent-socket on a remote system and have the ability to write files on the system running ssh-agent(1) agent can run arbitrary code under the same user credential. Because the attacker must already have some control on both systems, it is relatively hard to exploit this vulnerability in a practical attack. [CVE-2016-10009] When privilege separation is disabled (on FreeBSD, privilege separation is enabled by default and has to be explicitly disabled), an authenticated attacker can potentially gain root privileges on systems running OpenSSH server. [CVE-2016-10010] IV. Workaround Systems not running ssh-agent(1) and sshd(8) services are not affected. System administrators may remove ssh-agent(1) to mitigate CVE-2016-10009. System administrators should enable privilege separation when running OpenSSH server, which is the FreeBSD default, to mitigate CVE-2016-10010. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Kill all running ssh-agent(1) process and restart sshd(8) service. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Kill all running ssh-agent(1) process and restart sshd(8) service. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Kill all running ssh-agent(1) process and restart sshd(8) service. A reboot is recommended but not required. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r311915 releng/10.3/ r311916 stable/11/r311915 releng/11.0/ r311916 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.fre
FreeBSD Security Advisory FreeBSD-SA-16:39.ntp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:39.ntpSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: -XX-XX Credits:Network Time Foundation Affects:All supported versions of FreeBSD. Corrected: 2016-11-22 16:22:51 UTC (stable/11, 11.0-STABLE) 2016-12-22 16:19:05 UTC (releng/11.0, 11.0-RELEASE-p6) 2016-11-22 16:23:20 UTC (stable/10, 10.3-STABLE) 2016-12-22 16:19:05 UTC (releng/10.3, 10.3-RELEASE-p15) 2016-12-22 16:19:05 UTC (releng/10.2, 10.2-RELEASE-p28) 2016-12-22 16:19:05 UTC (releng/10.1, 10.1-RELEASE-p45) 2016-11-22 16:23:46 UTC (stable/9, 9.3-STABLE) 2016-12-22 16:19:05 UTC (releng/9.3, 9.3-RELEASE-p53) CVE Name: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7431, CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. Trap is a mechanism to collect NTP daemon information from remote. II. Problem Description Multiple vulnerabilities have been discovered in the NTP suite: CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy of Cisco ASIG. CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector. Reported by Matthew Van Gundy of Cisco ASIG. CVE-2016-7427: Broadcast Mode Replay Prevention DoS. Reported by Matthew Van Gundy of Cisco ASIG. CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS. Reported by Matthew Van Gundy of Cisco ASIG. CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass. Reported by Sharon Goldberg and Aanchal Malhotra of Boston University. CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal(). Reported by Magnus Stubman. CVE-2016-7426: Client rate limiting and server responses. Reported by Miroslav Lichvar of Red Hat. CVE-2016-7433: Reboot sync calculation problem. Reported independently by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal Malhotra of Boston University. III. Impact A remote attacker who can send a specially crafted packet to cause a NULL pointer dereference that will crash ntpd, resulting in a Denial of Service. [CVE-2016-9311] An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, "restrict default noquery ..." is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring by an attacker from remote. [CVE-2016-9310] An attacker with access to the NTP broadcast domain can periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. [CVE-2016-7427] An attacker with access to the NTP broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. [CVE-2016-7428] Origin timestamp problems were fixed in ntp 4.2.8p6. However, subsequent timestamp validation checks introduced a regression in the handling of some Zero origin timestamp checks. [CVE-2016-7431] If ntpd is configured to allow mrulist query requests from a server that sends a crafted malicious packet, ntpd will crash on receipt of that crafted malicious mrulist query packet. [CVE-2016-7434] An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources. [CVE-2016-7426] Ntp Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulas have been reviewed and reconciled, and the code has been updated accordingly. [CVE-2016-7433] IV. Workaround No workaro
FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:15.sysarch [REVISED] Security Advisory The FreeBSD Project Topic: Incorrect argument validation in sysarch(2) Category: core Module: kernel Announced: 2016-10-25 Credits:Core Security, ahaha from Chaitin Tech Affects:All supported versions of FreeBSD. Corrected: 2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE) 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2) 2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE) 2016-10-25 17:11:15 UTC (releng/10.3, 10.3-RELEASE-p11) 2016-10-25 17:11:11 UTC (releng/10.2, 10.2-RELEASE-p24) 2016-10-25 17:11:07 UTC (releng/10.1, 10.1-RELEASE-p41) 2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE) 2016-10-25 17:11:02 UTC (releng/9.3, 9.3-RELEASE-p49) CVE Name: CVE-2016-1885 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. 0. Revision history v1.0 2016-03-16 Initial release. v1.1 2016-10-25 Revised patch to address a problem pointed out by ahaha from Chaitin Tech. I. Background The IA-32 architecture allows programs to define segments, which provides based and size-limited view into the program address space. The memory-resident processor structure, called Local Descriptor Table, usually abbreviated LDT, contains definitions of the segments. Since incorrect or malicious segments would breach system integrity, operating systems do not provide processes direct access to the LDT, instead they provide system calls which allow controlled installation and removal of segments. II. Problem Description A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to lack of sufficient bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode. III. Impact This vulnerability could cause the kernel to panic. In addition it is possible to perform a local Denial of Service against the system by unprivileged processes. IV. Workaround No workaround is available, but only the amd64 architecture is affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot is required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. [*** v1.1 NOTE ***] If your sources are not yet patched using the initially published advisory patches, then you need to apply both sysarch.patch and sysarch-01.patch. If your sources are already updated, or patched with patches from the initial advisory, then you need to apply sysarch-01.patch only. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [ FreeBSD system not patched with original SA-16:15 patch] # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc # gpg --verify sysarch.patch.asc [ FreeBSD system that has been patched with original SA-16:15 patch] # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch.asc # gpg --verify sysarch-01.patch.asc b) Apply the patch(es). Execute the following commands as root for every patch file downloaded: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r307941 releng/9.3/ r307931 stable/10/r307940 releng/10.1/ r307
FreeBSD Security Advisory FreeBSD-SA-16:25.bspatch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:25.bspatchSecurity Advisory The FreeBSD Project Topic: Heap vulnerability in bspatch Category: core Module: bsdiff Announced: 2016-07-25 Affects:All supported versions of FreeBSD. Corrected: 2016-07-25 14:52:12 UTC (stable/11, 11.0-BETA2-p1) 2016-07-25 14:52:12 UTC (stable/11, 11.0-BETA1-p1) 2016-07-25 14:53:04 UTC (stable/10, 10.3-STABLE) 2016-07-25 15:04:17 UTC (releng/10.3, 10.3-RELEASE-p6) 2016-07-25 15:04:17 UTC (releng/10.2, 10.2-RELEASE-p20) 2016-07-25 15:04:17 UTC (releng/10.1, 10.1-RELEASE-p37) 2016-07-25 14:53:04 UTC (stable/9, 9.3-STABLE) 2016-07-25 15:04:17 UTC (releng/9.3, 9.3-RELEASE-p45) CVE Name: CVE-2014-9862 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The bspatch utility generates newfile from oldfile and patchfile where patchfile is a binary patch built by bsdiff(1). II. Problem Description The implementation of bspatch does not check for a negative value on numbers of bytes read from the diff and extra streams, allowing an attacker who can control the patch file to write at arbitrary locations in the heap. This issue was first discovered by The Chromium Project and reported independently by Lu Tung-Pin to the FreeBSD project. III. Impact An attacker who can control the patch file can cause a crash or run arbitrary code under the credentials of the user who runs bspatch, in many cases, root. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. No reboot is needed. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install No reboot is needed. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:25/bspatch.patch # fetch https://security.FreeBSD.org/patches/SA-16:25/bspatch.patch.asc # gpg --verify bspatch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r303301 releng/9.3/ r303304 stable/10/r303301 releng/10.1/ r303304 releng/10.2/ r303304 releng/10.3/ r303304 stable/11/r303300 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://bugs.chromium.org/p/chromium/issues/detail?id=372525> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:25.bspatch.asc> -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.13 (FreeBSD) iQIcBAEBCgAGBQJXlir7AAoJEO1n7NZdz2rnTtAP/iFnhrcmRuxmeMGtVPWHZFhH /I2iB62wGf4vNGVedwh3fHPEgjEpMvDVP7S+OCLB7Fnf+Mwm9uL47cjxdr/P5dy8 iKRsojG7HVE3Iia7DyaSEQwbJMQZGWsy2wr9epiHPoOpnSaWKUBx94C+oc7gPdM5 8LW5OpUgSpFCztQ82gbM/2Bjy5OREJQP6ASW62WO+MkD7n+ZUzsUCdR13bzvpA23 BaNeInQArn5Zf3OiZX
FreeBSD Security Advisory FreeBSD-SA-16:24.ntp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:24.ntpSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2016-06-04 Credits:Network Time Foundation and various contributors listed below Affects:All supported versions of FreeBSD. Corrected: 2016-06-03 08:59:21 UTC (stable/10, 10.3-STABLE) 2016-06-04 05:46:52 UTC (releng/10.3, 10.3-RELEASE-p5) 2016-06-04 05:46:52 UTC (releng/10.2, 10.2-RELEASE-p19) 2016-06-04 05:46:52 UTC (releng/10.1, 10.1-RELEASE-p36) 2016-06-03 09:03:10 UTC (stable/9, 9.3-STABLE) 2016-06-04 05:46:52 UTC (releng/9.3, 9.3-RELEASE-p44) CVE Name: CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955 CVE-2016-4956 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Multiple vulnerabilities have been discovered in the NTP suite: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that could cause ntpd to crash. [CVE-2016-4957, Reported by Nicolas Edet of Cisco] An attacker who knows the origin timestamp and can send a spoofed packet containing a CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association. [CVE-2016-4953, Reported by Miroslav Lichvar of Red Hat] An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set. [CVE-2016-4954, Reported by Jakub Prokes of Red Hat] An attacker who is able to spoof a packet with a correct origin timestamp before the expected response packet arrives at the target machine can send a CRYPTO_NAK or a bad MAC and cause the association's peer variables to be cleared. If this can be done often enough, it will prevent that association from working. [CVE-2016-4955, Reported by Miroslav Lichvar of Red Hat] The fix for NtpBug2978 does not cover broadcast associations, so broadcast clients can be triggered to flip into interleave mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red Hat.] III. Impact Malicious remote attackers may be able to break time synchronization, or cause the ntpd(8) daemon to crash. IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Network administrators are advised to implement BCP-38, which helps to reduce the risk associated with the attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:24/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-16:24/ntp.patch.asc # gpg --verify ntp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r301257 releng/9.3/ r301301 stable/10/r301
FreeBSD Security Advisory FreeBSD-SA-16:20.linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:20.linux Security Advisory The FreeBSD Project Topic: Kernel stack disclosure in Linux compatibility layer Category: core Module: linux(4) Announced: 2016-05-31 Credits:CTurt Affects:All supported versions of FreeBSD. Corrected: 2016-05-31 16:57:42 UTC (stable/10, 10.3-STABLE) 2016-05-31 16:55:50 UTC (releng/10.3, 10.3-RELEASE-p4) 2016-05-31 16:55:45 UTC (releng/10.2, 10.2-RELEASE-p18) 2016-05-31 16:55:41 UTC (releng/10.1, 10.1-RELEASE-p35) 2016-05-31 16:58:00 UTC (stable/9, 9.3-STABLE) 2016-05-31 16:55:37 UTC (releng/9.3, 9.3-RELEASE-p43) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. The support is provided for amd64 and i386 machines. II. Problem Description The implementation of the TIOCGSERIAL ioctl(2) does not clear the output struct before copying it out to userland. The implementation of the Linux sysinfo() system call does not clear the output struct before copying it out to userland. III. Impact An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges. IV. Workaround No workaround is available, but systems not using the Linux binary compatibility layer are not vulnerable. The Linux compatibility layer is not included in the default GENERIC kernel. The following command can be used to test if the Linux binary compatibility layer is loaded: # kldstat -m linuxelf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot is required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:20/linux.patch # fetch https://security.FreeBSD.org/patches/SA-16:20/linux.patch.asc # gpg --verify linux.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r301055 releng/9.3/ r301049 stable/10/r301054 releng/10.1/ r301050 releng/10.2/ r301051 releng/10.3/ r301052 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:http://cturt.github.io/compat-info-leaks.html> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:20.linux.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXTcSOAAoJEO1n7NZdz2rnjSMP/AsGK5jda/QlrRrpvKyd3HGr qVsTzro+a2ed2ZlUCamM/JICXfbAit+dOioui+CIN1IKai/mxNPMpIWcPRx1AhDr 3y52MmSzkCqK6QT3tvwYYaG4uOZ3/wbWAJ8EKz2qqYlZ4hkmy24BdvTCGB2SGDgo Nz1P60NWxaqafCwFyb0xz7Lful52txSLIr9mWZzTcSgwNNEscGiMgzXiY64GlWfQ r20udpFrPG5+OOwpFAdR4IImQA7B0AYD064NbzN9A+m
FreeBSD Security Advisory FreeBSD-SA-16:22.libarchive
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:22.libarchive Security Advisory The FreeBSD Project Topic: Directory traversal in cpio(1) Category: contrib Module: libarchive Announced: 2016-05-31 Credits:Alexander Cherepanov Affects:All supported versions of FreeBSD Corrected: 2016-05-21 09:03:45 UTC (stable/10, 10.3-STABLE) 2016-05-31 16:35:03 UTC (releng/10.3, 10.3-RELEASE-p4) 2016-05-31 16:33:56 UTC (releng/10.2, 10.2-RELEASE-p18) 2016-05-31 16:32:42 UTC (releng/10.1, 10.1-RELEASE-p35) 2016-05-21 09:27:30 UTC (stable/9, 9.3-STABLE) 2016-05-31 16:23:56 UTC (releng/9.3, 9.3-RELEASE-p43) CVE Name: CVE-2015-2304 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The libarchive(3) library provides a flexible interface for reading and writing streaming archive files such as tar(1) and cpio(1), and has been the basis for the FreeBSD implementation of the tar(1) and cpio(1) utilities since FreeBSD 5.3. II. Problem Description The cpio(1) tool from the libarchive(3) bundle is vulnerable to a directory traversal problem via absolute paths in an archive file. III. Impact A malicious archive file being unpacked can overwrite an arbitrary file on a filesystem, if the owner of the cpio process has write access to it. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot is not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-16:22/libarchive-10.patch # fetch https://security.FreeBSD.org/patches/SA-16:22/libarchive-10.patch.asc # gpg --verify libarchive-10.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:22/libarchive-9.patch # fetch https://security.FreeBSD.org/patches/SA-16:22/libarchive-9.patch.asc # gpg --verify libarchive-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r300363 releng/9.3/ r301044 stable/10/r300361 releng/10.1/ r301046 releng/10.2/ r301047 releng/10.3/ r301048 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:22.libarchive.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXTcSSAAoJEO1n7NZdz2rnpSIQAL4Ao7qcCFcqckTLAwR3UyTe e65MD/dXcD+Zn6XWao5t/nLQRFyzJgD6p3HIahcPMBXdzaYOlYxVfU7wMlw95llZ mKruSMP1rT59zxwyP+aLh34aRMRmVu+/L8xMHThMBNyiIFjhiyLIvzm4+k+/vBHY V1Jc7RdEQr4A19zzhmklCMzttf2M85NggWDraPQfUMyjXwrLDc6Pc1x7w8w8/OAB Jyj9tiu883epPstgk8uKVqRaa96SGcwFt9Rsp8WZf0/rfk21BS2hNnlxrjPhdkAU s5KZnCqudbh4Uv0KRLO0htLTMo2QU0gP0d/QeoLBxaPo2VaXrB6jvv7KhDInIpRe xDQYuc
FreeBSD Security Advisory FreeBSD-SA-16:23.libarchive
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:23.libarchive Security Advisory The FreeBSD Project Topic: Buffer overflow in libarchive(3) Category: contrib Module: libarchive Announced: 2016-05-31 Affects:FreeBSD 9.3 Corrected: 2016-05-21 09:27:30 UTC (stable/9, 9.3-STABLE) 2016-05-31 16:23:56 UTC (releng/9.3, 9.3-RELEASE-p43) CVE Name: CVE-2013-0211 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The libarchive(3) library provides a flexible interface for reading and writing streaming archive files such as tar and cpio, and has been the basis for FreeBSD's implementation of the tar(1) and cpio(1) utilities since FreeBSD 5.3. II. Problem Description An integer signedness error in the archive_write_zip_data() function in archive_write_set_format_zip.c in libarchive(2) could lead to a buffer overflow on 64-bit machines. III. Impact An attacker who can provide input of their choice for creating a ZIP archive can cause a buffer overflow in libarchive(2) that results in a core dump or possibly execution of arbitrary code provided by the attacker. IV. Workaround No workaround is available but 32-bit systems are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:23/libarchive.patch # fetch https://security.FreeBSD.org/patches/SA-16:23/libarchive.patch.asc # gpg --verify libarchive.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r300363 releng/9.3/ r301044 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0211> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:23.libarchive.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXTcSUAAoJEO1n7NZdz2rnjuwP/36GShkMxVtvEF3LeZCtT1bT J0TSoXWpOo8rW61W0VEQ8xxOupIUwpDC2zwvgg0ZuPPbUY1nKYGrql8hixzmyg7n Da7krIxv7guTrpIWumEztS7JAVjZWEW+SfwiXZ7OY+3KHSLcGh5E0MpEvWDy+Ysa 5/fjyaxYV2jHCaXwqNpCHv9ahS3Ca4VMr37E2H+3efdbSzkfUz17nReNjBtk8P76 5teuC/PZ0aXIToOBuP039NPy7Cw42AsgAnEDLayEMIuuq/u4JVmDUONcnjfQ4occ tlCl3tNmk8LR9kotcvkg+7ZDOZ6zq4NHkcpjek8GPqScV2EgY0wixf4Eo2hD4P4x NDo4pkzt5L+6mkJoSc/6zBYiVGLAqGBMDqsaemqBL/aTLH6+W+Bulvr9prfB2EIN EBWfO4zkA3tKAPAZIpCQRzG2FScOjNeH49hy+ISTUWYcWDtNrpYIJdhX+XtsuZIt Swd++AYcvnDJGX8bTPRb8nOlBWqAAscuIJsvyqyRVahmKrG2USECmhvaIN6jPbVq 8dScr0yO0ixzUpnkEMV8GW8kstC5mwCihJ4MG5qDtsWGYybH93N22eHZyOlCqa9J d+V8OzEiVEtGtdDqbThDW3FfuimAm6aShTLxATeJTGbc+mQEdUMjjgAmrvCZxcEZ URXCjA5XayDc0iZySd4r =XTv8 -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-16:21.43bsd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:21.43bsd Security Advisory The FreeBSD Project Topic: Kernel stack disclosure in 4.3BSD compatibility layer Category: core Module: kernel Announced: 2016-05-31 Credits:CTurt Affects:All supported versions of FreeBSD. Corrected: 2016-05-31 16:57:42 UTC (stable/10, 10.3-STABLE) 2016-05-31 16:55:50 UTC (releng/10.3, 10.3-RELEASE-p4) 2016-05-31 16:55:45 UTC (releng/10.2, 10.2-RELEASE-p18) 2016-05-31 16:55:41 UTC (releng/10.1, 10.1-RELEASE-p35) 2016-05-31 16:58:00 UTC (stable/9, 9.3-STABLE) 2016-05-31 16:55:37 UTC (releng/9.3, 9.3-RELEASE-p43) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD has binary compatibility layer with historic 4.3BSD operating system. II. Problem Description The implementation of historic stat(2) system call does not clear the output struct before copying it out to userland. III. Impact An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges. IV. Workaround No workaround is available, but systems not using the 4.3BSD compatibility layer are not vulnerable. The 4.3BSD compatibility layer is not included into the default GENERIC kernel configuration. A custom kernel config that does not have the COMPAT_43 option is also not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is required. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:21/stat.patch # fetch https://security.FreeBSD.org/patches/SA-16:21/stat.patch.asc # gpg --verify stat.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r301055 releng/9.3/ r301049 stable/10/r301054 releng/10.1/ r301050 releng/10.2/ r301051 releng/10.3/ r301052 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:http://cturt.github.io/compat-info-leaks.html> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:21.43bsd.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXTcSQAAoJEO1n7NZdz2rn/JYQAKrbMPuSBxDZzMS0iq76R5Gw RPkTZcH5zFqXI6s7WGNLtdV6VgatQtG8WsYdaGn+E+dKqGmIu4xtcIfXS6dgP/fT aqP522x5CbZt2nl3bpQ/vPDnJbEJ/a25nydLjHuCbJP1MqPKCWOJFlt/EOXlqXd4 SptiShq/EDPZgJSODmGp34raAIIeuMHUz2gF8YEBD3Uu8cV6zMHlc1Lj8veI1NJv xKaSK+31HAdAgkP5NKPEXA3Ei553i1tzN8KGgbEeFvsjtNUuqxR8n2nB2XJ3GANb E7Z3byjajZqgYim6tYqobAyZEjrdGInNt8E5XEdrJhsIhzn6mqcdpJsf9yur1xY2 TSNaNNlWGicd1TYuPQjd7LPiqKKdIKO3s7P3vHXhJRvy2vD9B4NfX/kcU1UjJkAI h19iI1B9WbiLakTTJLSn5tcSSIUUNJ3c70jYIoo4WOEHN3x8HvjtaGuH2TK89CA2 tPqkKau4Txd3ikdpNbU6pYDyWAYG+z/cH6F1dYrkchULK8uNP+sEkHai2MYtNv/W Q0CDy46iHBmbYkTwlEDxPkfDEKsiUbm32AgvfwuEAfjszwYuO1+KjZ6oKXwycQz9 gCyNZVfsjSOV5srzVQ2daUmuNkQiua2zt8JX5J64rUJSYx3AkZHOTNxmVEu12K1U RdI/7TaMcgMzkGMlwEv9 =qPmZ -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-16:19.sendmsg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:19.sendmsgSecurity Advisory The FreeBSD Project Topic: Incorrect argument handling in sendmsg(2) Category: core Module: kernel Announced: 2016-05-17 Credits:CTurt and the HardenedBSD team Affects:FreeBSD 10.x Corrected: 2016-05-17 22:30:43 UTC (stable/10, 10.3-STABLE) 2016-05-17 22:28:27 UTC (releng/10.3, 10.3-RELEASE-p3) 2016-05-17 22:28:20 UTC (releng/10.2, 10.2-RELEASE-p17) 2016-05-17 22:28:11 UTC (releng/10.1, 10.1-RELEASE-p34) CVE Name: CVE-2016-1887 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The sendmsg(2) system call allows to send data to a socket. The data may be accompanied by optional ancillary data. II. Problem Description Incorrect argument handling in the socket code allows malicious local user to overwrite large portion of the kernel memory. III. Impact Malicious local user may crash kernel or execute arbitrary code in the kernel, potentially gaining superuser privileges. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot is required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:19/sendmsg.patch # fetch https://security.FreeBSD.org/patches/SA-16:19/sendmsg.patch.asc # gpg --verify sendmsg.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r300093 releng/10.1/ r300085 releng/10.2/ r300086 releng/10.3/ r300087 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:http://cturt.github.io/sendmsg.html> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1887> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:19.sendmsg.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXO50VAAoJEO1n7NZdz2rnWOAP/RyUks4Xf30YVGra+bHUjOsw gFQEJ7HNNJHkkaJ5l0LpVh87YQxr7VXnlddskDRcL6MDf7IjW5bkpw+875iEFz93 VykCN+1l84D0WlXAi9YZwg1GWoQs3SBfNpT1dtr9GuqJYAAeBfvMydJI1jHbJzJJ 7inDzgvhfPOaq8wQBfjXbUN0GgYiz6dJc3xir4+4JRw0C9sgzh1pI14o1oREJbZ0 glmHRCpuijndqluabl7rF19mSSDyF0AV7RqDCZIt7AkYHWvR1yLl4o0LGGBYCLXx iArz2ayzbAqBVw1JktVHzGx0HuVpobxb/yOpDuYBcaxtSL6riuSYrkzHp0Dca+JT 0/qENdMnXDN98ZMBcvVR66uWUuTVEF3/T2LXCi6G+RllrcoavvLqrcjghqT5k84P jmAjO3Q3rIeAinjArfyexHo/f/A5CHGJylsY0FZd41A35xWaYg/dd0cT+8qsoigD 65Ix+/6AOIjocqqQToFXiHKBCN5unwrn/UT5heU0K3ZqESGmxUrx+6yJ3mjDjtLh C7zWcNaJu1whcT7e4eKx9vMlAFFt6OrSnr1V09KnqPiHPtIu95PZhGlrizlZVELQ 8fKHoycOkT5F+00CWzcQuZK+l9p5iT5aWGkhunwvR7EKzqvgEFbDDpaJ5QzKTNTl lJXypb8SMlol4YY8Spdo =wuhi -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-16:18.atkbd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:18.atkbd Security Advisory The FreeBSD Project Topic: Buffer overflow in keyboard driver Category: core Module: atkbd Announced: 2016-05-17 Credits:CTurt and the HardenedBSD team Affects:All supported versions of FreeBSD. Corrected: 2016-05-17 22:29:59 UTC (stable/10, 10.3-STABLE) 2016-05-17 22:28:27 UTC (releng/10.3, 10.3-RELEASE-p3) 2016-05-17 22:28:20 UTC (releng/10.2, 10.2-RELEASE-p17) 2016-05-17 22:28:11 UTC (releng/10.1, 10.1-RELEASE-p34) 2016-05-17 22:31:12 UTC (stable/9, 9.3-STABLE) 2016-05-17 22:28:36 UTC (releng/9.3, 9.3-RELEASE-p42) CVE Name: CVE-2016-1886 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The atkbd(4) driver, together with the atkbdc(4) driver, provides access to the AT 84 keyboard or the AT enhanced keyboard which is connected to the AT keyboard controller. The driver is required for the console driver syscons(4) or vt(4). The driver exposes its own ioctl(2) interface to allow it to be configured from userland through the kbdcontrol(1) utility. II. Problem Description Incorrect signedness comparison in the ioctl(2) handler allows a malicious local user to overwrite a portion of the kernel memory. III. Impact A local user may crash the kernel, read a portion of kernel memory and execute arbitrary code in kernel context. The result of executing an arbitrary kernel code is privilege escalation. IV. Workaround Disallow keymap changes for non-privileged users: sysctl hw.kbd.keymap_restrict_change=4 V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot is required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:18/atkbd.patch # fetch https://security.FreeBSD.org/patches/SA-16:18/atkbd.patch.asc # gpg --verify atkbd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r300093 releng/9.3/ r300088 stable/10/r300091 releng/10.1/ r300085 releng/10.2/ r300086 releng/10.3/ r300087 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:http://cturt.github.io/SETFKEY.html> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1886> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:18.atkbd.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXO5z8AAoJEO1n7NZdz2rns0MQAKaUrGjGn0nkFpx/PpiM6SHv s/Fj/z/qTXTUmimZloiQd9bkMh5wFMymozihVqoQVX2jwzPFm4Cql+Ez8ihTl9YX s+vMgQA8mUrinebwqXHRY+bZrwbJzsvLhAepL6vrSncPBaXM37smOmVlfjyUySWZ 61L1QPhDZIYSamAMDZFx4qkdv32nWTTaE6OImQOFWY19l2tAxUMrUsTM5zSUfSas Tq2oP4BUvI58psapMgs38UY1Bjo33E/Gd7n6FS8gUQAX1OspN1wh981oX9GHU+U1 bHY/Ihl+rqlh3Dmxp1JBP8ma2DSLXcuhrywNpE8i/dNQA4sxXXGQyuzVk24Q
FreeBSD Security Advisory FreeBSD-SA-16:17.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:17.opensslSecurity Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2016-05-04 Credits:OpenSSL Project Affects:All supported versions of FreeBSD. Corrected: 2016-05-03 18:54:20 UTC (stable/10, 10.3-STABLE) 2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2) 2016-05-04 15:26:23 UTC (releng/10.2, 10.2-RELEASE-p16) 2016-05-04 15:27:09 UTC (releng/10.1, 10.1-RELEASE-p33) 2016-05-04 06:53:02 UTC (stable/9, 9.3-STABLE) 2016-05-04 15:27:09 UTC (releng/9.3, 9.3-RELEASE-p41) CVE Name: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2176 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description The padding check in AES-NI CBC MAC was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. [CVE-2016-2107] An overflow can occur in the EVP_EncodeUpdate() function which is used for Base64 encoding of binary data. [CVE-2016-2105] An overflow can occur in the EVP_EncryptUpdate() function, however it is believed that there can be no overflows in internal code due to this problem. [CVE-2016-2106] When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory. [CVE-2016-2109] ASN1 Strings that are over 1024 bytes can cause an overread in applications using the X509_NAME_oneline() function on EBCDIC systems. [CVE-2016-2176] FreeBSD does not run on any EBCDIC systems and therefore is not affected. III. Impact A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. [CVE-2016-2107] If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. [CVE-2016-2105] Any application parsing untrusted data through d2i BIO functions are vulnerable to memory exhaustion attack. [CVE-2016-2109] TLS applications are not affected. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all daemons that use the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons that use the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-10.patch # fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-9.patc # fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-9.patch.asc # gpg --verify openssl-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ---
FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:15.sysarchSecurity Advisory The FreeBSD Project Topic: Incorrect argument validation in sysarch(2) Category: core Module: kernel Announced: 2016-03-16 Credits:Core Security Affects:All supported versions of FreeBSD. Corrected: 2016-03-16 22:35:55 UTC (stable/10, 10.2-STABLE) 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14) 2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31) 2016-03-16 22:36:02 UTC (stable/9, 9.3-STABLE) 2016-03-16 22:30:03 UTC (releng/9.3, 9.3-RELEASE-p39) CVE Name: CVE-2016-1885 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The IA-32 architecture allows programs to define segments, which provides based and size-limited view into the program address space. The memory-resident processor structure, called Local Descriptor Table, usually abbreviated LDT, contains definitions of the segments. Since incorrect or malicious segments would breach system integrity, operating systems do not provide processes direct access to the LDT, instead they provide system calls which allow controlled installation and removal of segments. II. Problem Description A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to invalid use of a signed intermediate value in the bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode. III. Impact This vulnerability could cause the kernel to panic. In addition it is possible to perform a local Denial of Service against the system by unprivileged processes. IV. Workaround No workaround is available, but only the amd64 architecture is affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot is required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc # gpg --verify sysarch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r296958 releng/9.3/ r296953 stable/10/r296957 releng/10.1/ r296954 releng/10.2/ r296955 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1885> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:15.sysarch.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJW6eO/AAoJEO1n7NZdz2rn0UMP/iU/orN0P6+Rsj9hY2B6M0VS H6CMMVvketkIIWl9oKX9D/G0g/HyD8uFy06qL2OBz+h99h1oaF5ELl4G6TkF69Ra yOKrLcWnyi3eWLUaPvGkrLakVpG0+pU3QRvBT+d0nsTarOMPq+nhooarMfAluF3p c3bXEjzn/lTA5T0zTcGS2o9IgORvYrK
FreeBSD Security Advisory FreeBSD-SA-16:14.openssh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:14.opensshSecurity Advisory The FreeBSD Project Topic: OpenSSH xauth(1) command injection Category: contrib Module: OpenSSH Announced: 2016-03-16 Credits: Affects:All supported versions of FreeBSD. Corrected: 2016-03-12 23:53:20 UTC (stable/10, 10.2-STABLE) 2016-03-14 13:05:13 UTC (releng/10.3, 10.3-RC2) 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14) 2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31) 2016-03-13 23:50:19 UTC (stable/9, 9.3-STABLE) 2016-03-16 22:30:03 UTC (releng/9.3, 9.3-RELEASE-p39) CVE Name: CVE-2016-3115 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. OpenSSH supports X11 forwarding, allowing X11 applications on the server to connect to the client's display. When an X11 forwarding session is established, the OpenSSH daemon runs the xauth tool with information provided by the client to create an authority file on the server containing information that applications need in order to connect to the client's X11 display. II. Problem Description Due to insufficient input validation in OpenSSH, a client which has permission to establish X11 forwarding sessions to a server can piggyback arbitrary shell commands on the data intended to be passed to the xauth tool. III. Impact An attacker with valid credentials and permission to establish X11 forwarding sessions can bypass other restrictions which may have been placed on their account, for instance using ForceCommand directives in the server's configuration file. IV. Workaround Disable X11 forwarding globally by adding the following line to /etc/ssh/sshd_config, before any Match blocks: X11Forwarding no then either restart the OpenSSH daemon or reboot the system. Consult the sshd(8) and sshd_config(5) manual pages for additional information on how to enable or disable X11 forwarding on a per-user or per-key basis. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, then either restart the OpenSSH daemon or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # service sshd restart 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:14/openssh-xauth.patch # fetch https://security.FreeBSD.org/patches/SA-16:14/openssh-xauth.patch.asc # gpg --verify openssh-xauth.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. d) Either restart the OpenSSH daemon or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r296780 releng/9.3/ r296953 stable/10/r296781 releng/10.1/ r296954 releng/10.2/ r296955 releng/10.3/ r296853 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII.
FreeBSD Security Advisory FreeBSD-SA-16:12.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:12.opensslSecurity Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2016-03-10 Credits:OpenSSL Project Affects:All supported versions of FreeBSD. Corrected: 2016-03-04 00:40:15 UTC (stable/10, 10.2-BETA3) 2016-03-03 07:30:55 UTC (releng/10.2, 10.2-RELEASE-p13) 2016-03-03 07:30:55 UTC (releng/10.1, 10.1-RELEASE-p30) 2016-03-10 03:58:48 UTC (stable/9, 9.3-STABLE) 2016-03-10 10:03:28 UTC (releng/9.3, 9.3-RELEASE-p38) CVE Name: CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0705 CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0800 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP3) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN. [CVE-2016-0800] A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources. This scenario is considered rare. [CVE-2016-0705] The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. [CVE-2016-0798] In the BN_hex2bn function, the number of hex digits is calculated using an int value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values of |i| this can result in |bn_expand| not allocating any memory because |i * 4| is negative. This can leave the internal BIGNUM data field as NULL leading to a subsequent NULL pointer dereference. For very large values of |i|, the calculation |i * 4| could be a positive value smaller than |i|. In this case memory is allocated to the internal BIGNUM data field, but it is insufficiently sized leading to heap corruption. A similar issue exists in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with very large untrusted hex/dec data. This is anticipated to be a rare occurrence. [CVE-2016-0797] The internal |fmtstr| function used in processing a "%s" formatted string in the BIO_*printf functions could overflow while calculating the length of a string and cause an out-of-bounds read when printing very long strings. [CVE-2016-0799] A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA keys. [CVE-2016-0702] s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they displace encrypted-key bytes. [CVE-2016-0703] s2_srvr.c overwrites the wrong bytes in the master key when applying Bleichenbacher protection for export cipher suites. [CVE-2016-0704] III. Impact Servers that have SSLv2 protocol enabled are vulnerable to the "DROWN" attack which allows a remote attacker to fast attack many recorded TLS connections made to the server, even when the client did not make any SSLv2 connections themselves. An attacker who can supply malformed DSA private keys to OpenSSL applications may be able to cause memory corruption which would lead to a Denial of Service condition. [CVE-2016-0705] An attacker connecting with an invalid username can cause memory leak, which could eventually lead to a Denial of Service condition. [CVE-2016-0798] An attacker who can inject malformed data into an application may be able to cause memory corruption which would lead to a Denial of Service condition. [CVE-2016-0797, CVE-2016-0799] A local attacker who has control of code in a
FreeBSD Security Advisory FreeBSD-SA-16:13.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:13.bind Security Advisory The FreeBSD Project Topic: Multiple BIND vulnerabilities Category: contrib Module: bind Announced: 2016-03-10 Credits:ISC Affects:FreeBSD 9.x Corrected: 2016-03-10 07:47:55 UTC (stable/9, 9.3-STABLE) 2016-03-10 10:03:28 UTC (releng/9.3, 9.3-RELEASE-p38) CVE Name: CVE-2016-1285, CVE-2016-1286 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description Testing by ISC has uncovered a defect in control channel input handling which can cause named to exit due to an assertion failure in sexpr.c or alist.c when a malformed packet is sent to named's control channel (the interface which allows named to be controlled using the "rndc" server control utility). [CVE-2016-1285] An error when parsing signature records for DNAME records having specific properties can lead to named exiting due to an assertion failure in resolver.c or db.c. [CVE-2016-1286] III. Impact A remote attacker can deliberately trigger the failed assertion if the DNS server accepts remote rndc commands regardless if authentication is configured. Note that this is not enabled by default. [CVE-2016-1285] A remote attacker who can cause a server to make a query deliberately chosen to generate a response containing a signature record which would trigger a failed assertion and cause named to stop. Disabling DNSsec does not provide protection against this vulnerability. [CVE-2016-1286] IV. Workaround No workaround is available, but hosts not running named(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The named service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The named service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:13/bind.patch # fetch https://security.FreeBSD.org/patches/SA-16:13/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the named(8) daemon, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r296608 releng/9.3/ r296611 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://kb.isc.org/article/AA-01352> <URL:https://kb.isc.org/article/AA-01353> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:13.bind.asc> -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.11 (FreeBSD) iQIcBAEBCgAGBQJW4UdUAAoJEO1n7NZdz2rnmRwQAIXDSu/gX5A+CFv6+9/2ak+H 3JOMO8p7KSKWhc1Hh7uqTUEy04lmpUylzK6Kj3h5PDNVaObxCcqsCAdy9xLYv8Q6 scBLeaDRPnwVQ1Mb/pkx1pdKSG7oKjY00PY0/hTKOVJUC1
FreeBSD Security Advisory FreeBSD-SA-16:11.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:11.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL SSLv2 ciphersuite downgrade vulnerability Category: contrib Module: openssl Announced: 2016-01-30 Affects:All supported versions of FreeBSD. Corrected: 2016-01-28 21:42:10 UTC (stable/10, 10.2-STABLE) 2016-01-30 06:12:03 UTC (releng/10.2, 10.2-RELEASE-p12) 2016-01-30 06:12:03 UTC (releng/10.1, 10.1-RELEASE-p29) 2016-01-30 06:09:38 UTC (stable/9, 9.3-STABLE) 2016-01-30 06:12:03 UTC (releng/9.3, 9.3-RELEASE-p36) CVE Name: CVE-2015-3197 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. III. Impact An active MITM attacker may be able to force a protocol downgrade to SSLv2, which is a flawed protocol and intercept the communication between client and server. IV. Workaround No workaround is available, but only applications that do not explicitly disable SSLv2 are affected. To determine if a server have SSLv2 enabled, a system administrator can use the following command: % openssl s_client -ssl2 -connect : &1 | grep DONE which will print "DONE" if and only if SSLv2 is enabled. Note that this check will not work for services that uses STARTTLS or DTLS. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all deamons using the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.2] # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.2.patch # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.2.patch.asc # gpg --verify openssl-10.2.patch.asc [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.1.patch # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.1.patch.asc # gpg --verify openssl-10.1.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-9.3.patch # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-9.3.patch.asc # gpg --verify openssl-9.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart all deamons using the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r295060 releng/9.3/ r295061 stable/10/r295016 releng/10.1/ r295061 releng/10.2/ r295061 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN
FreeBSD Security Advisory FreeBSD-SA-16:08.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:08.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service vulnerability Category: contrib Module: bind Announced: 2016-01-27 Credits:ISC Affects:FreeBSD 9.x Corrected: 2016-01-20 08:54:35 UTC (stable/9, 9.3-STABLE) 2016-01-27 07:42:11 UTC (releng/9.3, 9.3-RELEASE-p35) CVE Name: CVE-2015-8704 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. Address Prefixes List (APL RR) is a type of DNS Resource Record defined in RFC 3123. II. Problem Description There is an off-by-one error in a buffer size check when performing certain string formatting operations. III. Impact Slaves using text-format db files could be vulnerable if receiving a malformed record in a zone transfer from their master. Masters using text-format db files could be vulnerable if they accept a malformed record in a DDNS update message. Recursive resolvers are potentially vulnerable when debug logging is enabled and if they are fed a deliberately malformed record by a malicious server. A server which has cached a specially constructed record could encounter this condition while performing 'rndc dumpdb'. IV. Workaround No workaround is available, but hosts not running named(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The named service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The named service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:08/bind.patch # fetch https://security.FreeBSD.org/patches/SA-16:08/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r294405 releng/9.3/ r294905 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://kb.isc.org/article/AA-01335> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:08.bind.asc> -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWqHmfAAoJEO1n7NZdz2rngIkP/Ru1a5U14/iJKqGO2o+OQkk5 j9G3rwEQROlPhtHdUE3vtA2fZcsayJaK1CjU3j91VWlTXHfBnju6gbJVPntNQqe5 TxRFmRhRjcyreNdt6hKvFgDrXmWwrytRukJ/XafdYxoWFDTtrUScwrOH87U8ILcF gkWgzCQ7EnYqr7sEW1makDHmIOLukJo5pJOnUTRkraDP2oaKSros3GC+Fnh6Wf+q wYOkgl2gj96ubJW4SvdZCAKFtnMrhw0ZZyrVDuPojzWU+ZotzWvZz3xGvoSqXy5U rqqtUQNHMU0Aqhe9zurW4B2ioff6XALZPgRYqQRI8ezXTgDDhJSwa12mjTJuQmaR hQRJlW5u5/Ejj2NML6NkhvLuSApwZcAZ2G7cLGdR6nEKKVEb6mXgnL7T/CdhhTj8 2owIz1iIdI2sUmhv6vuxPxB1k/O7b76LTZ2AL6jx4/mEtOVeofpNej5w7qnvCSqV RcZsOYRXrMZ0YWuhBkKqnMGGIU0TBMDvjJL5gxf5RR
FreeBSD Security Advisory FreeBSD-SA-16:10.linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:10.linux Security Advisory The FreeBSD Project Topic: Linux compatibility layer issetugid(2) system call vulnerability Category: core Module: kernel Announced: 2016-01-27 Credits:Isaac Dunham, Brent Cook, Warner Losh Affects:All supported versions of FreeBSD. Corrected: 2016-01-27 07:28:55 UTC (stable/10, 10.2-STABLE) 2016-01-27 07:41:31 UTC (releng/10.2, 10.2-RELEASE-p11) 2016-01-27 07:41:31 UTC (releng/10.1, 10.1-RELEASE-p28) 2016-01-27 07:34:23 UTC (stable/9, 9.3-STABLE) 2016-01-27 07:42:11 UTC (releng/9.3, 9.3-RELEASE-p35) CVE Name: CVE-2016-1883 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. The support is provided on amd64 and i386 machines. II. Problem Description A programming error in the Linux compatibility layer could cause the issetugid(2) system call to return incorrect information. III. Impact If an application relies on output of the issetugid(2) system call and that information is incorrect, this could lead to a privilege escalation. IV. Workaround No workaround is available, but systems not using the Linux binary compatibility layer are not vulnerable. The following command can be used to test if the Linux binary compatibility layer is loaded: # kldstat -m linuxelf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot the system or unload and reload the linux.ko kernel module. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot the system or unload and reload the linux.ko kernel module. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:10/linux.patch # fetch https://security.FreeBSD.org/patches/SA-16:10/linux.patch.asc # gpg --verify linux.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r294903 releng/9.3/ r294905 stable/10/r294901 releng/10.1/ r294904 releng/10.2/ r294904 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1883> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:10.linux.asc> -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWqHmfAAoJEO1n7NZdz2rnsr0QAJtM4C+IgRcRHdNGL7vXp1NP u3sFyktcRGCR0p+lMOaFYPp/Vmu09NglhcaxYFbk4WONVSnZKOuiWsjOL9by/eof 77i8bXINlB/8Pp+34KpxDtz5wR3jVAApaL8xvS+/DaKj3RdQ63RrHgtQRTAk+VSO ISAXxF2U/XAcRlmBQ3oOtqeHads6M1LNG/D/I0FgpU2G17QoUpfa+AvOkS1wBw7d mdcnC4NDKKx3QnyD0FTrh4z444PwvE3IQ7OSm7VX4/oOZdH+CC9coLCV1BXALrfA WVmaUMDy8bWiv7JMsda2xl4KhcEx2Y0UN2hGYdMZJubqYcnUknMimW3b2fhsfgl1 UaQDD6xv9I4xZqo1NHh4/WiH33PvOmM+U0E6IMb5hTUbfSd0mXOn4yzTP5gJxe4h fPk5ZUj/HTKx6C8ERMknTDdn+ZrLLlQJAoDbipPZ
FreeBSD Security Advisory FreeBSD-SA-16:09.ntp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:09.ntpSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2016-01-27 Credits:Cisco ASIG / Network Time Foundation Affects:All supported versions of FreeBSD. Corrected: 2016-01-22 15:55:21 UTC (stable/10, 10.2-STABLE) 2016-01-27 07:41:31 UTC (releng/10.2, 10.2-RELEASE-p11) 2016-01-27 07:41:31 UTC (releng/10.1, 10.1-RELEASE-p28) 2016-01-22 15:56:35 UTC (stable/9, 9.3-STABLE) 2016-01-27 07:42:11 UTC (releng/9.3, 9.3-RELEASE-p35) CVE Name: CVE-2015-7973, CVE-2015-7974, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8139, CVE-2015-8140, CVE-2015-8158 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Multiple vulnerabilities have been discovered in ntp 4.2.8p5: Potential Infinite Loop in ntpq. [CVE-2015-8158] A logic error would allow packets with an origin timestamp of zero to bypass this check whenever there is not an outstanding request to the server. [CVE-2015-8138] Off-path Denial of Service (DoS) attack on authenticated broadcast mode. [CVE-2015-7979] Stack exhaustion in recursive traversal of restriction list. [CVE-2015-7978] reslist NULL pointer dereference. [CVE-2015-7977] ntpq saveconfig command allows dangerous characters in filenames. [CVE-2015-7976] nextvar() missing length check. [CVE-2015-7975] Skeleton Key: Missing key check allows impersonation between authenticated peers. [CVE-2015-7974] Deja Vu: Replay attack on authenticated broadcast mode. [CVE-2015-7973] ntpq vulnerable to replay attacks. [CVE-2015-8140] Origin Leak: ntpq and ntpdc, disclose origin. [CVE-2015-8139] III. Impact A malicious NTP server, or an attacker who can conduct MITM attack by intercepting NTP query traffic, may be able to cause a ntpq client to infinitely loop. [CVE-2015-8158] A malicious NTP server, or an attacker who can conduct MITM attack by intercepting NTP query traffic, may be able to prevent a ntpd(8) daemon to distinguish between legitimate peer responses from forgeries. This can partially be mitigated by configuring multiple time sources. [CVE-2015-8138] An off-path attacker who can send broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to broadcast clients can cause these clients to tear down associations. [CVE-2015-7979] An attacker who can send unauthenticated 'reslist' command to a NTP server may cause it to crash, resulting in a denial of service condition due to stack exhaustion [CVE-2015-7978] or a NULL pointer dereference [CVE-2015-7977]. An attacker who can send 'modify' requests to a NTP server may be able to create file that contain dangerous characters in their name, which could cause dangerous behavior in a later shell invocation. [CVE-2015-7976] A remote attacker may be able to crash a ntpq client. [CVE-2015-7975] A malicious server which holds a trusted key may be able to impersonate other trusted servers in an authenticated configuration. [CVE-2015-7974] A man-in-the-middle attacker or a malicious participant that has the same trusted keys as the victim can replay time packets if the NTP network is configured for broadcast operations. [CVE-2015-7973] The ntpq protocol is vulnerable to replay attacks which may be used to e.g. re-establish an association to malicious server. [CVE-2015-8140] An attacker who can intercept NTP traffic can easily forge live server responses. [CVE-2015-8139] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Network administrators are advised to implement BCP-38, which helps to reduce risk associated with the attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recom
FreeBSD Security Advisory FreeBSD-SA-16:02.ntp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:02.ntpSecurity Advisory The FreeBSD Project Topic: ntp panic threshold bypass vulnerability Category: contrib Module: ntp Announced: 2016-01-14 Credits:Network Time Foundation Affects:All supported versions of FreeBSD. Corrected: 2016-01-11 01:09:50 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-11 01:48:16 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2015-5300 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description The ntpd(8) daemon has a safety feature to prevent excessive stepping of the clock called the "panic threshold". If ever ntpd(8) determines the system clock is incorrect by more than this threshold, the daemon exits. There is an implementation error within the ntpd(8) implementation of this feature, which allows the system time be adjusted in certain circumstances. III. Impact When ntpd(8) is started with the '-g' option specified, the system time will be corrected regardless of if the time offset exceeds the panic threshold (by default, 1000 seconds). The FreeBSD rc(8) subsystem allows specifying the '-g' option by either including '-g' in the ntpd_flags list or by enabling ntpd_sync_on_start in the system rc.conf(5) file. If at the moment ntpd(8) is restarted, an attacker can immediately respond to enough requests from enough sources trusted by the target, which is difficult and not common, there is a window of opportunity where the attacker can cause ntpd(8) to set the time to an arbitrary value. IV. Workaround No workaround is available, but systems not running ntpd(8), or running ntpd(8) but do not use ntpd_sync_on_start="YES" or specify the '-g' option in ntpd_flags are not affected. Neither of these are set by default. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.1 and 10.2] # fetch https://security.FreeBSD.org/patches/SA-16:02/ntp-10.patch # fetch https://security.FreeBSD.org/patches/SA-16:02/ntp-10.patch.asc # gpg --verify ntp-10.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:02/ntp-9.patch # fetch https://security.FreeBSD.org/patches/SA-16:02/ntp-9.patch.asc # gpg --verify ntp-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r293652 releng/9.3/ r293896 stable/10/r293650 releng/10.1/ r293894 releng/10.2/ r293893 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subvers
FreeBSD Security Advisory FreeBSD-SA-16:01.sctp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:01.sctp Security Advisory The FreeBSD Project Topic: SCTP ICMPv6 error message vulnerability Category: core Module: SCTP Announced: 2016-01-14 Credits:Jonathan T. Looney Affects:All supported versions of FreeBSD Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2016-1879 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The Stream Control Transmission Protocol (SCTP) protocol provides reliable, flow-controlled, two-way transmission of data. The Internet Control Message Protocol for IPv6 (ICMPv6) provides a way for hosts on the Internet to exchange control information. Among other uses, a host or router can use ICMPv6 to inform a host when there is an error delivering a packet sent by that host. II. Problem Description A lack of proper input checks in the ICMPv6 processing in the SCTP stack can lead to either a failed kernel assertion or to a NULL pointer dereference. In either case, a kernel panic will follow. III. Impact A remote, unauthenticated attacker can reliably trigger a kernel panic in a vulnerable system running IPv6. Any kernel compiled with both IPv6 and SCTP support is vulnerable. There is no requirement to have an SCTP socket open. IPv4 ICMP processing is not impacted by this vulnerability. IV. Workaround No workaround is available, but systems using a kernel compiled without SCTP support or IPv6 support are not vulnerable. In addition, some stateful firewalls may block ICMPv6 messages that are not responding to a legitimate connection. (However, this may not completely block the problem, as an ICMPv6 message could still be sent in response to a legitimate SCTP connection.) V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Rebooting to the new kernel is required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Rebooting to the new kernel is required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:01/sctp.patch # fetch https://security.FreeBSD.org/patches/SA-16:01/sctp.patch.asc # gpg --verify sctp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r293898 releng/9.3/ r293896 stable/10/r293897 releng/10.1/ r293894 releng/10.2/ r293893 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1879> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:01.sctp.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJWl2j1AAoJEO1n7NZdz2rnIfoQAOZTLX3VovQPGj9wr7PspLQi
FreeBSD Security Advisory FreeBSD-SA-16:05.tcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:05.tcpSecurity Advisory The FreeBSD Project Topic: TCP MD5 signature denial of service Category: core Module: kernel Announced: 2016-01-14 Credits:Ryan Stone, Jonathan T. Looney Affects:All supported versions of FreeBSD. Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2016-1882 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. An optional extension to TCP described in RFC 2385 allows protecting data streams against spoofed packets with MD5 signature. Support for TCP MD5 signatures is not enabled in default kernel. II. Problem Description A programming error in processing a TCP connection with both TCP_MD5SIG and TCP_NOOPT socket options may lead to kernel crash. III. Impact A local attacker can crash the kernel, resulting in a denial-of-service. A remote attack is theoretically possible, if server has a listening socket with TCP_NOOPT set, and server is either out of SYN cache entries, or SYN cache is disabled by configuration. IV. Workaround No workaround is available, but installations running a default kernel, or a custom kernel without TCP_SIGNATURE option are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. System reboot is required. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:05/tcp.patch # fetch https://security.FreeBSD.org/patches/SA-16:05/tcp.patch.asc # gpg --verify tcp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r293898 releng/9.3/ r293896 stable/10/r293897 releng/10.1/ r293894 releng/10.2/ r293893 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1882> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:05.tcp.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJWl2j3AAoJEO1n7NZdz2rnrWcQAN+QX6wEvC7FkTXyX2LHFWas CVOI/KkxkHSVwYMMScmorG27OxDsHTkvrGfqyVbYDczmC5NY+AorMiZMoo7CHn5J gYmS8NZvBPeMKmFt45lBTBDnKT6mOvHBz6UPhyyHruvR6VZ2h3fyLqYzbMKcy12i Onmk/nm3vgrqOCmnqYQN8Xo2v2x4KcKU3/jegK+pdfOwd9Q1bmxzBWwFx8yc7pZ0 3YItalkiMsuRppSuNS9fGoRSoB/Ybf/8pu6SDnhvJnw4CIRGAl3IDKpBanB7F/9E sofcI499s+uyOHPY8TrQ62L4UjteEukwaV8EJh6vPaLm3pns0cSURzKczgytTH3G Nz9GcI3hYdfbXRBgJvwtZv9JY5s3ZtPiqqTwHta7AdplXwiOJJ1Ylso5lZ4beiJh q7Sv+YMJr9cNfnYmSGv33rKN4hdae7XfJm+Ipde4bpgCLFpKkb/aQaGxGlowjDaW 0C77qCg+se3TzwGl0A7ClEq4dLaadTsiShQCpZGQOgc6Wgz9QUBGxU811e3KQHLo 3XQgxGSB9+3d7YiK/ZNkzi8d89VXMgUOx4HoOZ7+SkVBg1+qpbiYnk8VJjLmXyOz dPtDbzWG68wluWcSc7TD5yIYx2Lw4E9ZMWzh2boOxEWrcd9mxCUPiU9nsF+PIAPG kTcLnX0+iXijpKMnQpgP =UjjC -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-16:03.linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:03.linux Security Advisory The FreeBSD Project Topic: Linux compatibility layer incorrect futex handling Category: core Module: kernel Announced: 2016-01-14 Credits:Mateusz Guzik Affects:All supported versions of FreeBSD. Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2016-1880 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. The support is provided on amd64 and i386 machines. II. Problem Description A programming error in the handling of Linux futex robust lists may result in incorrect memory locations being accessed. III. Impact It is possible for a local attacker to read portions of kernel memory, which may result in a privilege escalation. IV. Workaround No workaround is available, but systems not using the Linux binary compatibility layer are not vulnerable. The following command can be used to test if the Linux binary compatibility layer is loaded: # kldstat -m linuxelf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot the system or unload and reload the linux.ko kernel module. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot the system or unload and reload the linux.ko kernel module. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-16:03/linux.patch # fetch http://security.FreeBSD.org/patches/SA-16:03/linux.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch # cd /usr/src/amd64/linux32 # make sysent # cd /usr/src/i386/linux # make sysent c) Recompile your kernel and modules as described in <URL:http://www.FreeBSD.org/handbook/kernelconfig.html>. Reboot the system or unload and reload the linux.ko kernel module. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Subversion: Branch/path Revision - --- stable/9/ r293898 releng/9.3/ r293896 stable/10/r293897 releng/10.1/ r293894 releng/10.2/ r293893 - --- VII. References <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1880> The latest revision of this advisory is available at <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-16:03.linux.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJWl2j2AAoJEO1n7NZdz2rngkcQAJ8yxlxYd+qZPf+pbP+0Kj6w +Sy8BrSUrYLMFynrs4vRPTJobLnVGpwkp6I6ZCDL/yoI/7Xkl3ld7HWfH7MAJ6WP x0j5/bC+AlWGpKfL6wqeddxjHgmaAlDznN1MyO+3byVfP1Y8VVppbzqPNw9AW17Q kNqNAMsVuk3OMpoE7CYEsaH6rzHzbMGAPuR+KN5J55Mth6dNkIYSIFJ0sCae5cnv P6SoMKjn7ffcHymmX/Yj7K0FTOrJOePR0eLbTITivJT1uZ3bYbbYyK1bYslE6bwF EQ3Ij+LhZdM5D7GBOpILBZ9ojvVMq8PiW9yY3zo7DRrwWajBy8pe/3ow0u7igoOK /0XUFmRT0Q0iCxlGhXPxEGcc40g6oE6oVz1m3Ewgqc2+iZm+w6N/w88dRqiBHNgL AiCqleI10eRNgP1uq7XT/5PEslmQLxSCrDPFDOgmSZc3uY7H5LBb6O9fb7YTpn6J bfL7yyJFei/lAlY1s2b+4/DW9PE1OwxNw/R85mSUpbP5my5wwZR+s3mGTLI2JAlk 74Nw/OR9HLLHoEO5JlagfEclKp7O+JzhHYkAcBm7yRMRr1LV+7JZQEaTCeWTkm6L YvL8Ca1PAL6qNLZbxQ26Gjka7KCrFhhNfR22c3Lz4pLtkg9YmDRb4sy6i+q3ellG 0mLi0OqTu2gn+25xhidf =OQft -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-16:04.linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:04.linux Security Advisory The FreeBSD Project Topic: Linux compatibility layer setgroups(2) system call vulnerability Category: core Module: kernel Announced: 2016-01-14 Credits:Dmitry Chagin Affects:All supported versions of FreeBSD Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2016-1881 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. The support is provided on amd64 and i386 machines. II. Problem Description A programming error in the Linux compatibility layer setgroups(2) system call can lead to an unexpected results, such as overwriting random kernel memory contents. III. Impact It is possible for a local attacker to overwrite portions of kernel memory, which may result in a privilege escalation or cause a system panic. IV. Workaround No workaround is available, but systems not using the Linux binary compatibility layer are not vulnerable. The following command can be used to test if the Linux binary compatibility layer is loaded: # kldstat -m linuxelf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot the system or unload and reload the linux.ko kernel module. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot the system or unload and reload the linux.ko kernel module. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:04/linux.patch # fetch https://security.FreeBSD.org/patches/SA-16:04/linux.patch.asc # gpg --verify linux.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/amd64/linux32 # make sysent # cd /usr/src/i386/linux # make sysent c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html>. Reboot the system or unload and reload the linux.ko kernel module. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r293898 releng/9.3/ r293896 stable/10/r293897 releng/10.1/ r293894 releng/10.2/ r293893 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1881> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:04.linux.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJWl2j3AAoJEO1n7NZdz2rnstMP/jddSJehSXe9rlL2qhYfRrQY XZSuoOtolvcl2xSQCZYprXN95/i890VOdJ9x4+iYJA2IQO55a8MjS1DcJjjonV7J zJa7Apnu1jaK1jDx+RL6C3eVDff0ss1B7NvZTXmjHn+nIsIRxd6vzxDp2NujTnWS XHNinNAPcVK9Hy/AJh1W+mClvgLg+lyMICuraMjTDc5ML3+fxUmXfDUWq1mm2Chq uYXMXcIBXBJx1mnnm9n2izExr7j7AHaVJywe/UYk+KCNbSeags76pt1vuPfoOjdE BaSlX9KNMouYU0JNfv/wC7/UnuQ/BY1
FreeBSD Security Advisory FreeBSD-SA-16:07.openssh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:07.opensshSecurity Advisory The FreeBSD Project Topic: OpenSSH client information leak Category: contrib Module: openssh Announced: 2016-01-14 Credits:Qualys Security Advisory Team Affects:All supported versions of FreeBSD. Corrected: 2016-01-14 22:42:43 UTC (stable/10, 10.2-STABLE) 2016-01-14 22:45:33 UTC (releng/10.2, 10.2-RELEASE-p10) 2016-01-14 22:47:54 UTC (releng/10.1, 10.1-RELEASE-p27) 2016-01-14 22:50:35 UTC (stable/9, 9.3-STABLE) 2016-01-14 22:53:07 UTC (releng/9.3, 9.3-RELEASE-p34) CVE Name: CVE-2016-0777 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The ssh(1) is client side utility used to login to remote servers. II. Problem Description The OpenSSH client code contains experimental support for resuming SSH connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys. III. Impact A user that authenticates to a malicious or compromised server may reveal private data, including the private SSH key of the user. IV. Workaround The vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the global ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line. All current remote ssh(1) sessions need to be restared after changing the configuration file. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:07/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-16:07/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r294053 releng/9.3/ r294054 stable/10/r294049 releng/10.1/ r294051 releng/10.2/ r294052 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:07.openssh.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJWmH8uAAoJEO1n7NZdz2rnZ3MQAMPm2/+gM/83HbibOzRXfo7v 4D3j93BOEGltCQx8y+Stu3Y/CNA6eRYVPvD0u65DeO2bevQcYPQbfHSa5fxYgjWQ yqmLAvB+KZyGxAWZZhXsOWS6oUsK6y75jaWho3Oq19VLps8CWqHauvIyk0b1z/KA IlYYcXOdAvDgLoZHVcLbKU0jdOvMmc/iwxhx0aPVu4D2LXIr59xQcA/AsbKobk5V oqWt5CaaiZCXmVaw9eQhqNuXYC3zoY2/eh8FKG6IkIH9eyL6qQUIxumluxcui1MZ 25tZjp+OsmpVLgWxUyKKyQOVj3rRjai
FreeBSD Security Advisory FreeBSD-SA-16:06.bsnmpd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-16:06.bsnmpd Security Advisory The FreeBSD Project Topic: Insecure default bsnmpd.conf permissions Category: contrib Module: bsnmpd Announced: 2016-01-14 Credits:Pierre Kim Affects:All supported versions of FreeBSD. Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2015-5677 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The bsnmpd daemon serves the Internet SNMP (Simple Network Management Protocol). It is intended to serve only the absolute basic MIBs and implements all other MIBs through loadable modules. II. Problem Description The SNMP protocol supports an authentication model called USM, which relies on a shared secret. The default permission of the bsnmpd configuration file, /etc/bsnmpd.conf, is weak and does not provide adequate protection against local unprivileged users. III. Impact A local user may be able to read the shared secret, if configured and used by the system administrator. IV. Workaround No workaround is available, but systems that do not use bsnmpd with its USM authentication model are not vulnerable. V. Solution This vulnerability can be fixed by modifying the permission on /etc/bsnmpd.conf to owner root:wheel and permission 0600. The patch is provided mainly for third party vendors who deploy FreeBSD and provide a safe default. The patch itself DOES NOT fix the permissions for existing installations. The patch can be applied by performing one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The system administrator should change the permission on /etc/bsnmpd.conf to root:wheel and 0600. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The system administrator should change the permission on /etc/bsnmpd.conf to root:wheel and 0600. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:06/bsnmpd.patch # fetch https://security.FreeBSD.org/patches/SA-16:06/bsnmpd.patch.asc # gpg --verify bsnmpd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r293898 releng/9.3/ r293896 stable/10/r293897 releng/10.1/ r293894 releng/10.2/ r293893 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5677> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:06.bsnmpd.asc> -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJWl2j4AAoJEO1n7NZdz2rnkaQP/3K9kqYY1YoHQ++uzFPnfuZQ mkGPJ0frGG46pTL806QJidky6D0LP0zNCzhtU45ZlFMguJ3B3QYp/62Cw61dBG22 x0uEkvI2F2F39IPA/clspyUHg3Y1RYgTpJrxey0JLrK0yxelyI8vMw
FreeBSD Security Advisory FreeBSD-SA-15:27.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:27.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service vulnerability Category: contrib Module: bind Announced: 2015-12-16 Credits:ISC Affects:FreeBSD 9.x Corrected: 2015-12-16 06:10:05 UTC (stable/9, 9.3-STABLE) 2015-12-16 06:21:26 UTC (releng/9.3, 9.3-RELEASE-p32) CVE Name: CVE-2015-8000 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. The libdns library is a library of DNS protocol support functions. II. Problem Description An error in the parsing of incoming responses allows some records with an incorrect class to be be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. III. Impact An attacker who can cause a server to request a record with a malformed class attribute can use this bug to trigger a REQUIRE assertion in db.c, causing named to exit and denying service to clients. The risk to recursive servers is high. Authoritative servers are at limited risk if they perform authentication when making recursive queries to resolve addresses for servers listed in NS RRSETs. IV. Workaround No workaround is available, but hosts not running named(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The named service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The named service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-15:27/bind.patch # fetch https://security.FreeBSD.org/patches/SA-15:27/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r292320 releng/9.3/ r292321 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://kb.isc.org/article/AA-01317> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:27.bind.asc> -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWcQOeAAoJEO1n7NZdz2rnpUoQAIjWIowpcRnteiQ8xJFnebHN iXj0vEWBGXofefDF1QzMZe0+mu688Brw1UGC89alhJVKfcmUP66okW5KP+4KDWUp +jkIqjw0VLrWztc8V+YzGKkbFNprvYUKhzJJ/Y5TLjadqGRc5BBBDxwzY+9CnDfC P+OzaTHwO2HIrqclt5nVyhgBTXSGZHai6Eyw2fBuhmEqbOWNr4cBu8IVhAtvw6SR 0lFSSITZ2z6YrDTq7l7fkeJwv+MnerpBXfe57P6r6tbDzzmsmZiNKABsk9wW2lkP kuOTf14VNoMySCwQ60PUEtflERCTJ/QRZxZTbBRh4YZXJxPsERwj3dlfguMA/5Pq sO9cxbhSKdoaiswKev67uVUkJXCePb8YIfcxui9Wj5YgcYaN5Au9F/tX2xMmWwfp 2+XwiRkLoNao+NYrx6hAJjWxAUTZJJJhWvu6L7mpBiImsqczd5AJq52bqD/C2M5C v0acQ6ozNz2Fdkxy4YA1kuXm1STwFuCAfWSVYOpaLz42PeRrHzfqXFuAsoJCp8k1 2m2pFgLgQKG
FreeBSD Security Advisory FreeBSD-SA-15:25.ntp [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:25.ntpSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp [REVISED] Category: contrib Module: ntp Announced: 2015-10-26, revised on 2015-11-04 Credits:Network Time Foundation Affects:All supported versions of FreeBSD. Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) 2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7) 2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24) 2015-11-02 10:39:26 UTC (stable/9, 9.3-STABLE) 2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30) CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/. 0. Revision history. v1.0 2015-10-26 Initial release. v1.1 2015-11-04 Revised patches to address regression in ntpq(8), ntpdc(8) utilities and lack of RAWDCF reference clock support in ntpd(8). I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and 10.1 are not affected. If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusually long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition. [CVE-2015-7855] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd(8) that may cause it to crash, with the hypothetical possibility of a small code injection. [CVE-2015-7854] A negative value for the datalen parameter will overflow a data buffer. The NTF ntpd(8) driver implementation always sets this value to 0 and are therefore not vulnerable to this weakness. If the system runs a custom refclock driver in ntpd(8) and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this), then ntpd(8) would overflow the data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd(8), the attacker could effect a code injection attack. [CVE-2015-7853] If an attacker can figure out the precise moment that ntpq(8) is listening for data and the port number on which it is listening, or if the attacker can provide a malicious instance ntpd(8) that victims will connect to, then an attacker can send a set of crafted mode 6 response packets that, if received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause ntpd(8) to overwrite files. [CVE-2015-7851] The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that will cause it to crash and/or create a potentially huge log file. Specifically, the attacker could enable extended logging, point the key file at the log file, and cause what amounts to an infinite loop. [CVE-2015-7850] The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set
FreeBSD Security Advisory FreeBSD-SA-15:25.ntp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-15:25.ntpSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2015-10-26 Credits:Network Time Foundation Affects:All supported versions of FreeBSD. Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) 2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6) 2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23) 2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE) 2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29) CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and 10.1 are not affected. If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusual long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition. [CVE-2015-7855] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd(8) that may cause it to crash, with the hypothetical possibility of a small code injection. [CVE-2015-7854] A negative value for the datalen parameter will overflow a data buffer. NTF's ntpd(8) driver implementations always set this value to 0 and are therefore not vulnerable to this weakness. If you are running a custom refclock driver in ntpd(8) and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this) then ntpd would overflow a data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd the attacker could effect a code injection attack. [CVE-2015-7853] If an attacker can figure out the precise moment that ntpq(8) is listening for data and the port number it is listening on or if the attacker can provide a malicious instance ntpd(8) that victims will connect to then an attacker can send a set of crafted mode 6 response packets that, if received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause ntpd(8) to overwrite files. [CVE-2015-7851]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that will cause it to crash and/or create a potentially huge log file. Specifically, the attacker could enable extended logging, point the key file at the log file, and cause what amounts to an infinite loop. [CVE-2015-7850]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause a crash or theoretically perform a code injection attack. [CVE-2015-7849]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to enable mode 7 packets, and if the use of mode 7
FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:24.rpcbindSecurity Advisory The FreeBSD Project Topic: rpcbind(8) remote denial of service [REVISED] Category: core Module: rpcbind Announced: 2015-09-29, revised on 2015-10-02 Affects:All supported versions of FreeBSD. Corrected: 2015-10-02 16:36:16 UTC (stable/10, 10.2-STABLE) 2015-10-02 16:37:06 UTC (releng/10.2, 10.2-RELEASE-p5) 2015-10-02 16:37:06 UTC (releng/10.1, 10.1-RELEASE-p22) 2015-10-02 16:36:16 UTC (stable/9, 9.3-STABLE) 2015-10-02 16:37:06 UTC (releng/9.3, 9.3-RELEASE-p28) CVE Name: CVE-2015-7236 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. 0. Revision history v1.0 2015-09-29 Initial release. v1.1 2015-10-02 Revised patch to address a regression related to NIS usage I. Background Sun RPC is a remote procedure call framework which allows clients to invoke procedures in a server process over a network transparently. The rpcbind(8) utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. The Sun RPC framework uses a netbuf structure to represent the transport specific form of a universal transport address. The structure is expected to be opaque to consumers. In the current implementation, the structure contains a pointer to a buffer that holds the actual address. II. Problem Description In rpcbind(8), netbuf structures are copied directly, which would result in two netbuf structures that reference to one shared address buffer. When one of the two netbuf structures is freed, access to the other netbuf structure would result in an undefined result that may crash the rpcbind(8) daemon. III. Impact A remote attacker who can send specifically crafted packets to the rpcbind(8) daemon can cause it to crash, resulting in a denial of service condition. IV. Workaround No workaround is available, but systems that do not provide the rpcbind(8) service to untrusted systems, or do not provide any RPC services are not vulnerable. On FreeBSD, typical RPC based services includes NIS and NFS. Alternatively, rpcbind(8) can be configured to bind on specific IP address(es) by using the '-h' option. This may be used to reduce the attack vector when the system has multiple network interfaces and when some of them would face an untrusted network. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart the applicable daemons, or reboot the system. Because rpcbind(8) is an essential service to all RPC service daemons, these daemons may also need to be restarted. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart the applicable daemons, or reboot the system. Because rpcbind(8) is an essential service to all RPC service daemons, these daemons may also need to be restarted. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch # fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch.asc # gpg --verify rpcbind.patch.asc # fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind-00.patch # fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind-00.patch.asc # gpg --verify rpcbind-00.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r288511 releng/9.3/ r288512 stable/10/
FreeBSD Security Advisory FreeBSD-SA-15:22.openssh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:22.opensshSecurity Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: openssh Announced: 2015-08-25 Affects:All supported versions of FreeBSD. Corrected: 2015-08-25 20:48:44 UTC (stable/10, 10.2-STABLE) 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RC3-p2) 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RELEASE-p2) 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19) 2015-08-25 20:48:44 UTC (stable/9, 9.3-STABLE) 2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. The default FreeBSD OpenSSH configuration has PAM interactive authentication enabled. Privilege separation is a technique in which a program is divided into multiple cooperating processes, each with a different task, where each process is limited to the specific privileges required to perform that specific task, while the privileged parent process acts as an arbiter. II. Problem Description A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process. A use-after-free error in the privileged monitor process of he sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process. A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection. III. Impact The first bug may allow a remote attacker who a) has already succeeded by other means in compromising the unprivileged pre-authentication child process and b) has valid credentials to one user on the target system to impersonate a different user. The second bug may allow a remote attacker who has already succeeded by other means in compromising the unprivileged pre-authentication child process to bypass PAM authentication entirely. The third bug is not exploitable, but can cause premature termination of a multiplexed ssh connection. IV. Workaround No workaround is available, but systems where ssh(1) and sshd(8) are not used are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The sshd(8) service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The sshd(8) service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:22/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-15:22/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:https://www.FreeBSD.org/handbook/makeworld.html. Restart the sshd(8) daemon, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r287144 releng/9.3/ r287147 stable/10/r287144 releng/10.1/ r287146 releng/10.2/ r287145
FreeBSD Security Advisory FreeBSD-SA-15:21.amd64
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:21.amd64 Security Advisory The FreeBSD Project Topic: Local privilege escalation in IRET handler Category: core Module: sys_amd64 Announced: 2015-08-25 Credits:Konstantin Belousov, Andrew Lutomirski Affects:FreeBSD 9.3 and FreeBSD 10.1 Corrected: 2015-03-31 00:59:30 UTC (stable/10, 10.1-STABLE) 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19) 2015-03-31 01:08:51 UTC (stable/9, 9.3-STABLE) 2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24) CVE Name: CVE-2015-5675 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel CPU's. The GS segment CPU register is used by both user processes and the kernel to conveniently access state data: 32-bit user processes use the register to manage per-thread data, while the kernel uses it to access per-processor data. The return from interrupt (IRET) instruction returns program control from an interrupt handler to the interrupted context. II. Problem Description If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler. III. Impact By causing an IRET with #SS or #NP exceptions, a local attacker can cause the kernel to use an arbitrary GS base, which may allow escalated privileges or panic the system. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch # fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch.asc # gpg --verify amd64.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:https://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r280877 releng/9.3/ r287147 stable/10/r280875 releng/10.1/ r287146 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5675 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:21.amd64.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.7 (FreeBSD) iQIcBAEBCgAGBQJV3Ne8AAoJEO1n7NZdz2rn5ncQANs2pS8xCowX+BM9LmKTUb2Y eqGCvDetXV51/ljAOS10ubc4U0Zn2D5ACyz/DfiLIXVK8vkvlnJXFh3jSK6KIqPH ionXa8zMedBoytZL8xIEFSpk9+cYGkGupIYEGu6CCHVZGJ5fVgTlnnazuXd4evbt U1/7KNWt2H1R1j0YiYZ0MvhrIF35KqFmLOGf2JmZulqruwq91tYeMlv+7IY6vtPD L8n5kTM7pudB3qznXd1PBMj1Y6YVG1O3WL4Stfyj93qDuMbJ+wfnao1ZKMBG0az8 IJITHrnTI+Xd4i/bbEoSmSN9V80S8uo/6J6JaXjtbrJfEqAMKhLrrcoMA7MHpKJQ L4dv2HGL1n7xfOIfj5Qo2io/LUSye5lO54LtEKZfjhzqsTtNQl57BDAYZgbQp2/A RsngIq3VrNcIJQK8F1Ba7SNL2+NVd091Wb+Z52837R5/D47jD2BhDia5eH6R5Opv 6kfzTJujbLi6b9RSn0OT+wAQbQ80qSmD+IwMXwAAg0mukthjTiJpqabpMWvMmfGO
FreeBSD Security Advisory FreeBSD-SA-15:20.expat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:20.expat Security Advisory The FreeBSD Project Topic: Multiple integer overflows in expat (libbsdxml) XML parser Category: contrib Module: libbsdxml Announced: 2015-08-18 Affects:All supported versions of FreeBSD. Corrected: 2015-08-18 19:30:05 UTC (stable/10, 10.2-STABLE) 2015-08-18 19:30:35 UTC (releng/10.1, 10.1-RELEASE-p18) 2015-08-18 19:30:17 UTC (releng/10.2, 10.2-RC3-p1) 2015-08-18 19:30:17 UTC (releng/10.2, 10.2-RELEASE-p1) 2015-08-18 19:30:05 UTC (stable/9, 9.3-STABLE) 2015-08-18 19:30:35 UTC (releng/9.3, 9.3-RELEASE-p23) CVE Name: CVE-2015-1283 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags). The FreeBSD base system ships libexpat as libbsdxml for components that need to parse XML data. Some of these applications use the XML parser on trusted data from the kernel, for instance the geom(8) configuration utilities, while other applications, like tar(1), cpio(1), svnlite(1) and unbound-anchor(8), may use the XML parser on input from network or the user. II. Problem Description Multiple integer overflows have been discovered in the XML_GetBuffer() function in the expat library. III. Impact The integer overflows may be exploited by using specifically crafted XML data and lead to infinite loop, or a heap buffer overflow, which results in a Denial of Service condition, or enables remote attackers to execute arbitrary code. IV. Workaround No workaround is available, but the problem is only exploitable when the affected system needs to process data from an untrusted source. Because the library is used by many third party applications, we advise system administrators to check and make sure that they have the latest expat version as well, and restart all third party services, or reboot the system. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is not required after updating the base system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is not required after updating the base system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:20/expat.patch # fetch https://security.FreeBSD.org/patches/SA-15:20/expat.patch.asc # gpg --verify expat.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:https://www.FreeBSD.org/handbook/makeworld.html. The FreeBSD base system do not install daemons that uses the library, therefore, a reboot is not required after updating the base system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r286900 releng/9.3/ r286902 stable/10/r286900 releng/10.1/ r286902 releng/10.2/ r286901 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283 The latest
FreeBSD Security Advisory FreeBSD-SA-15:19.routed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:19.routed Security Advisory The FreeBSD Project Topic: routed(8) remote denial of service vulnerability Category: core Module: routed Announced: 2015-08-05 Credits:Hiroki Sato Affects:All supported versions of FreeBSD. Corrected: 2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE) 2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3) 2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2) 2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1) 2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17) 2015-08-05 22:05:07 UTC (stable/9, 9.3-STABLE) 2015-08-05 22:05:24 UTC (releng/9.3, 9.3-RELEASE-p22) CVE Name: CVE-2015-5674 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background The routing information protocol (RIP) is an older routing protocol which, while not as capable as more recent protocols such as OSPF and BGP, is sometimes preferred for its simplicity and therefore still used as an interior gateway protocol on smaller networks. Routers in a RIP network periodically broadcast their routing table on all enabled interfaces. Neighboring routers and hosts receive these broadcasts and update their routing tables accordingly. The routed(8) daemon is a RIP implementation for FreeBSD. The rtquery(8) utility can be used to send a RIP query to a router and display the result without updating the routing table. II. Problem Description The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network. III. Impact Upon receipt of a query from a source which is not on a directly connected network, routed(8) will trigger an assertion and terminate. The affected system's routing table will no longer be updated. If the affected system is a router, its routes will eventually expire from other routers' routing tables, and its networks will no longer be reachable unless they are also connected to another router. IV. Workaround Note that this problem does not affect a system on which routed(8) is not enabled. The routed(8) daemon is not enabled by default. Use a packet filter such as pf(4) or ipfw(4) to block incoming UDP packets with destination port 520 that did not originate on the same subnet as the destination address. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The routed service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The routed service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-15:19/routed.patch # fetch http://security.FreeBSD.org/patches/SA-15:19/routed.patch.asc # gpg --verify routed.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/routed.patch c) Recompile routed. Execute the following commands as root: # cd /usr/src/sbin/routed # make make install Restart the routed daemon, or reboot the system. To restart the affected service after updating the system, either reboot the system or execute the following command as root: # service routed restart VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r286349 releng/9.3/ r286352 stable/10/r286348 releng/10.1/ r286351 releng/10.2/ r286350
FreeBSD Security Advisory FreeBSD-SA-15:18.bsdpatch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:18.bsdpatch Security Advisory The FreeBSD Project Topic: shell injection vulnerability in patch(1) Category: contrib Module: patch Announced: 2015-08-05 Credits:Martin Natano Affects:FreeBSD 10.x. Corrected: 2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE) 2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3) 2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2) 2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1) 2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17) CVE Name: CVE-2015-1418 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background The patch(1) utility takes a patch file produced by the diff(1) program and apply the differences to an original file, producing a patched version. The patch(1) utility supports patches that uses ed(1) script format, as required by the POSIX.1-2008 standard. ed(1) is a line-oriented text editor. II. Problem Description Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to pass certain ed(1) scripts to the ed(1) editor, which would run commands. III. Impact This issue could be exploited to execute arbitrary commands as the user invoking patch(1) against a specically crafted patch file, which could be leveraged to obtain elevated privileges. IV. Workaround No workaround is available, but systems where a privileged user does not make use of patches without proper validation are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is not required after updating. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is not required after updating. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:18/bsdpatch.patch # fetch https://security.FreeBSD.org/patches/SA-15:18/bsdpatch.patch.asc # gpg --verify bsdpatch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:https://www.FreeBSD.org/handbook/makeworld.html. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r286348 releng/10.1/ r286351 releng/10.2/ r286350 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1418 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:18.bsdpatch.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVwoplAAoJEO1n7NZdz2rn8D4QAM0077U1nLiJFIU1VcM9IOKp GeZ/w9SnkrKqKzAQpq3QS1hmw0TxvP8kuJNuRVFF6M15Woprfxccb8mDxM0ntru4 t8rq/QLO2jMWopf67Spv6jr6GLLQXkiyRwLEyr7L8a7MbrFwjO1wYt+8GnQ6Nsvn kNfCnbNKPr1gNYM1XsLS7Ej1kl7aBx3xGQXU4d9HlOs/1X7rnPCnGKuc3ZD2Z/N4 zu8pV4NMFhWyJsax+FVYEFxwyd2uEb73A35nz/sQhGiwGOCtL424KG+hwj9mnm45 8f4m+53b6RDcBh6xU41fghMsac2PVCzY2r9GXXXJNlfEa+KnSN8yC+CvtXYEM9BX 9Y5g6i++RVLLT7mwFdG86FjZxSGpDBXlkpZ4I9qiS4YC8MFO4qC7SFzufxtfOcg+ R+QSj+DWOfeHDcXjEkHGlqTW9poE2EDWXDLwlEoOykh9NLyWl6enYd8ZEI3GUqyJ FgKiICrs1vUuGhOhTCgjyQjQUc6jaV/GzhLBJfyxz5xYDpr7DIILxJ8uki2FJcHS tZhlNu6JNqpBlsWNspqjw7NSP2j58Uj0bBdwWvFNX8otQiIXVfkdY8RCjxstq5lT 3bcF6akAFEBx/f
FreeBSD Security Advisory FreeBSD-SA-15:16.openssh [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:16.opensshSecurity Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: openssh Announced: 2015-07-28, revised on 2015-07-30 Affects:All supported versions of FreeBSD. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-30 10:09:07 UTC (stable/8, 8.4-STABLE) 2015-07-30 10:09:31 UTC (releng/8.4, 8.4-RELEASE-p36) CVE Name: CVE-2014-2653, CVE-2015-5600 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. 0. Revision history v1.0 2015-02-25 Initial release. v1.1 2015-07-30 Revised patch for FreeBSD 8.x to address regression when keyboard interactive authentication is used. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The security of the SSH connection relies on the server authenticating itself to the client as well as the user authenticating itself to the server. SSH servers uses host keys to verify their identity. RFC 4255 has defined a method of verifying SSH host keys using Domain Name System Security (DNSSEC), by publishing the key fingerprint using DNS with SSHFP resource record. RFC 6187 has defined methods to use a signature by a trusted certification authority to bind a given public key to a given digital identity with X.509v3 certificates. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. OpenSSH uses PAM for password authentication by default. II. Problem Description OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. [CVE-2014-2653] OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts. III. Impact A malicious server may be able to force a connecting client to skip DNS SSHFP record check and require the user to perform manual host verification of the host key fingerprint. This could allow man-in-the-middle attack if the user does not carefully check the fingerprint. [CVE-2014-2653] A remote attacker may effectively bypass MaxAuthTries settings, which would enable them to brute force passwords. [CVE-2015-5600] IV. Workaround Systems that do not use OpenSSH are not affected. There is no workaround for CVE-2014-2653, but the problem only affects networks where DNSsec and SSHFP is properly configured. Users who uses SSH should always check server host key fingerprints carefully when prompted. System administrators can set: UsePAM no In their /etc/ssh/sshd_config and restart sshd service to workaround the problem described as CVE-2015-5600 at expense of losing features provided by the PAM framework. We recommend system administrators to disable password based authentication completely, and use key based authentication exclusively in their SSH server configuration, when possible. This would eliminate the possibility of being ever exposed to password brute force attack. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. SSH service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install SSH service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3, 10.1, 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc # gpg --verify openssh.patch.asc [FreeBSD 8.4] # fetch https
FreeBSD Security Advisory FreeBSD-SA-15:14.bsdpatch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:14.bsdpatch Security Advisory The FreeBSD Project Topic: shell injection vulnerability in patch(1) Category: contrib Module: patch Announced: 2015-07-28 Credits:Martin Natano Affects:FreeBSD 10.x. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) CVE Name: CVE-2015-1416 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background The patch(1) utility takes a patch file produced by the diff(1) program and apply the differences to an original file, producing a patched version. The patch(1) utility supports certain version control systems, namely SCCS and RCS, and attempts to get or check out the file before applying a patch, if the original file do not already exist. II. Problem Description Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands. III. Impact This issue could be exploited to execute arbitrary commands as the user invoking patch(1) against a specically crafted patch file, which could be leveraged to obtain elevated privileges. IV. Workaround No workaround is available, but systems where a privileged user does not make use of patches without proper validation are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is not required after updating. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is not required after updating. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch # fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch.asc # gpg --verify bsdpatch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:https://www.FreeBSD.org/handbook/makeworld.html. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r285976 releng/10.1/ r285978 releng/10.2/ r285979 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1416 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:14.bsdpatch.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVt+JfAAoJEO1n7NZdz2rnmAAP/37DmuKX127SHD4Au3a1xy2F 90RP1doqTzpq2w3wzn8JPPK/IUxG6yjDWUk097/aadSMSiUWi/RyTERe68ZNHDia IkcTnvF1308OM91yAJDogTKyCpomZwWqkhDhT8qRIkRijr7gr0q3SYF2Uqrj+QKy fvhJrEEjhv9Lgw8I1qmnxWCpcmkKaW2Fm1eqplYlPOIwJky+2+Ddzv5PcjtQTjye tNIkF9D+ILmGFbotKbNPDKSxapreLOsyDnf0W9QMURi7UolF9AClZnerfVZUWy78 4lJdbC9q5bf/FNUDv2o928hMgG+cc+blaH8AGXGOgxOx3ok0XWp3xEWRJnggyrZX P6NN39u6yFSIrYaNHEwYLFGCIeA0nGWVLupq5h6WwJ+mhCpHz90kMw/5unlXc/wS mfFVMeoFiqL227qBgB4azQkiBjN/fVsqPcMv/xk0PNYHaRPS/DASRYPSJF2gXY7h fjemohKs9wmyc78nyrnayffPQ6hkXvVzw9zMfLJ1XWg/Fa/5X4u/POggivzGI4ia yrvp3zd4avNbEVwlirTxxYgQJ1X44JwTP3Tkq11fea9WJcJtjLTWpIwrHSd8PHEg n3r4bo52iPyaGORGUw3Zhx93gOse+I3ayXmBEVJLGDONlEdUf
FreeBSD Security Advisory FreeBSD-SA-15:15.tcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:15.tcpSecurity Advisory The FreeBSD Project Topic: Resource exhaustion in TCP reassembly Category: core Module: inet Announced: 2015-07-28 Credits:Patrick Kelsey (Norse Corporation) Affects:All supported versions of FreeBSD. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE) 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35) CVE Name: CVE-2015-1417 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. The underlying simple and potentially unreliable IP datagram communication protocol may deliver segments out of order, therefore, the TCP receiver would need to reassemble the segments into their original sequence to provide a reliable octet stream. Because the reassembly requires additional resources to keep the queued segments, historically resource exhaustion in the TCP reassembly path has been prevented by limiting the total number of segments that could belong to reassembly queues to a small fraction (1/16) of the total number of mbuf clusters in the system. VNET is a technique to virtualize the network stack, first introduced in FreeBSD 8.0. It changes global resources in the network stack into per network stack resources, so that a virtual network stack can be attached to a jailed prison and the prison can have unrestricted access to the virtual network stack. VNET is not enabled by default and has to be enabled by recompiling the kernel. II. Problem Description There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease. III. Impact An attacker who can establish concurrent TCP connections across a sufficient number of VNETs and manipulate the inbound packet streams such that the maximum number of mbufs are enqueued on each reassembly queue can cause mbuf cluster exhaustion on the target system, resulting in a Denial of Service condition. As the default per-VNET limit on the number of segments that can belong to reassembly queues is 1/16 of the total number of mbuf clusters in the system, only systems that have 16 or more VNET instances are vulnerable. IV. Workaround FreeBSD 8.x, 9.x and 10.x systems that do not make use of VNETs (option VIMAGE) are not affected. The support has to be specifically compiled into a custom kernel, so its use is not common. For affected systems, the system administrators may consider reducing the net.inet.tcp.reass.maxsegments tunable to the value of kern.ipc.nmbclusters divided by one greater than the total number of VNETs that are going to be used in the system in order to prevent a Denial of Service via this vulnerability. For example, if there are 16 VNETs in the system, the net.inet.tcp.reass.maxsegments tunable should be set to kern.ipc.nmbclusters / 17. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch.asc # gpg --verify tcp.patch.asc [FreeBSD
FreeBSD Security Advisory FreeBSD-SA-15:16.openssh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:16.opensshSecurity Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: openssh Announced: 2015-07-28 Affects:All supported versions of FreeBSD. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE) 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35) CVE Name: CVE-2014-2653, CVE-2015-5600 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The security of the SSH connection relies on the server authenticating itself to the client as well as the user authenticating itself to the server. SSH servers uses host keys to verify their identity. RFC 4255 has defined a method of verifying SSH host keys using Domain Name System Security (DNSSEC), by publishing the key fingerprint using DNS with SSHFP resource record. RFC 6187 has defined methods to use a signature by a trusted certification authority to bind a given public key to a given digital identity with X.509v3 certificates. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. OpenSSH uses PAM for password authentication by default. II. Problem Description OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. [CVE-2014-2653] OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts. III. Impact A malicious server may be able to force a connecting client to skip DNS SSHFP record check and require the user to perform manual host verification of the host key fingerprint. This could allow man-in-the-middle attack if the user does not carefully check the fingerprint. [CVE-2014-2653] A remote attacker may effectively bypass MaxAuthTries settings, which would enable them to brute force passwords. [CVE-2015-5600] IV. Workaround Systems that do not use OpenSSH are not affected. There is no workaround for CVE-2014-2653, but the problem only affects networks where DNSsec and SSHFP is properly configured. Users who uses SSH should always check server host key fingerprints carefully when prompted. System administrators can set: UsePAM no In their /etc/ssh/sshd_config and restart sshd service to workaround the problem described as CVE-2015-5600 at expense of losing features provided by the PAM framework. We recommend system administrators to disable password based authentication completely, and use key based authentication exclusively in their SSH server configuration, when possible. This would eliminate the possibility of being ever exposed to password brute force attack. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. SSH service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install SSH service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3, 10.1, 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc # gpg --verify openssh.patch.asc [FreeBSD 8.4] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc # gpg --verify openssh-8.patch.asc b) Apply the patch. Execute the following commands as root
FreeBSD Security Advisory FreeBSD-SA-15:17.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:17.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service vulnerability Category: contrib Module: bind Announced: 2015-07-28 Credits:ISC Affects:FreeBSD 8.x and FreeBSD 9.x. Corrected: 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE) 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35) CVE Name: CVE-2015-5477 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit. III. Impact A remote attacker can trigger a crash of a name server. Both recursive and authoritative servers are affected, and the exposure can not be mitigated by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries. IV. Workaround No workaround is available, but systems that are not running BIND are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The named service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The named service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch # fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:https://www.FreeBSD.org/handbook/makeworld.html. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r285977 releng/8.4/ r285980 stable/9/ r285977 releng/9.3/ r285980 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://kb.isc.org/article/AA-01272 URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:17.bind.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnmAQQAK66bHEYirTecgswG+eiePfU lcX46GdLU/OQ/3MHpmc6XQKz9kpJ+Inh8K8IvAJ1SXH41zk/xOtUgqbkUcgkGrS1 gBVKUC8SF82ll/1FUlORoJc+g+TQgax00Il/GweRVoL0RpU9S/YSnc6OLc0nWzBq osweYaHBNRL6lBmUtAHYu1tyvGvHLlfTNk6NCtUxtWeXKe+urYFx4ViJKCU8dJ+U F26nQb/3vH93WOEaNjSDHYWypl9qtous5hpOtXr76ofhID67EyOKmPPEC5+6jP/6 wkdMu7loVewI5K7ZF+zaNxr8CQESurCRkMX3qJSBNCfSw55sdcfKl4BO65SCxLH7 vXoh+B+Wbof2n3xAcEJNufOdiRQfTxlP1UMWIy00wvdB+VcOCDdD7TUB1kksxzpy aXxePRdKLjvkPDiWy17BBpxq8JIfy+41a+N7Fm/hDgUJOYGDAMr27WJLx8MHzY3k
FreeBSD Security Advisory FreeBSD-SA-15:13.tcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:13.tcpSecurity Advisory The FreeBSD Project Topic: Resource exhaustion due to sessions stuck in LAST_ACK state Category: core Module: inet Announced: 2015-07-21 Credits:Lawrence Stewart (Netflix, Inc.), Jonathan Looney (Juniper SIRT) Affects:All supported versions of FreeBSD. Corrected: 2015-07-21 23:42:17 UTC (stable/10, 10.2-PRERELEASE) 2015-07-21 23:42:17 UTC (stable/10, 10.2-BETA1-p1) 2015-07-21 23:42:17 UTC (stable/10, 10.2-BETA2-p1) 2015-07-21 23:42:56 UTC (releng/10.1, 10.1-RELEASE-p15) 2015-07-21 23:42:20 UTC (stable/9, 9.3-STABLE) 2015-07-21 23:42:56 UTC (releng/9.3, 9.3-RELEASE-p20) 2015-07-21 23:42:20 UTC (stable/8, 8.4-STABLE) 2015-07-21 23:42:56 UTC (releng/8.4, 8.4-RELEASE-p34) CVE Name: CVE-2015-5358 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. A socket enters the LAST_ACK state when the local process closes its socket after a FIN has already been received from the remote peer. The socket will remain in the LAST_ACK state until the kernel has transmitted a FIN to the remote peer and the kernel has received an acknowledgement of that FIN from the remote peer, or all retransmits of the FIN have failed and the connection times out. II. Problem Description TCP connections transitioning to the LAST_ACK state can become permanently stuck due to mishandling of protocol state in certain situations, which in turn can lead to accumulated consumption and eventual exhaustion of system resources, such as mbufs and sockets. III. Impact An attacker who can repeatedly establish TCP connections to a victim system (for instance, a Web server) could create many TCP connections that are stuck in LAST_ACK state and cause resource exhaustion, resulting in a denial of service condition. This may also happen in normal operation where no intentional attack is conducted, but an attacker who can send specifically crafted packets can trigger this more reliably. IV. Workaround No workaround is available, but systems that do not provide TCP based service to untrusted networks are not vulnerable. Note that the tcpdrop(8) utility can be used to purge connections which have become wedged. For example, the following command can be used to generate commands that would drop all connections whose last rcvtime is more than 100s: netstat -nxp tcp | \ awk '{ if (int($NF) 100) print tcpdrop $4 $5 }' The system administrator can then run the generated script as a temporary measure. Please refer to the tcpdump(8) manual page for additional information. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/SA-15:13/tcp.patch # fetch https://security.FreeBSD.org/patches/SA-15:13/tcp.patch.asc # gpg --verify tcp.patch.asc [FreeBSD 9.x and 8.x] # fetch https://security.FreeBSD.org/patches/SA-15:13/tcp-9.patch # fetch https://security.FreeBSD.org/patches/SA-15:13/tcp-9.patch.asc # gpg --verify tcp-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:https://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r285779 releng/8.4/ r285780 stable/9
FreeBSD Security Advisory FreeBSD-SA-15:12.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:12.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL alternate chains certificate forgery vulnerability Category: contrib Module: openssl Announced: 2015-07-09 Credits:Adam Langley/David Benjamin (Google/BoringSSL), OpenSSL Affects:FreeBSD 10.1-STABLE after 2015-06-11 and prior to the correction date. Corrected: 2015-07-09 17:17:22 UTC (stable/10, 10.2-PRERELEASE, 10.2-BETA1) CVE Name: CVE-2015-1793 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails, unless the application explicitly specifies X509_V_FLAG_NO_ALT_CHAINS. An error in the implementation of this logic could erroneously mark certificate as trusted when they should not. III. Impact An attacker could cause certain checks on untrusted certificates, such as the CA (certificate authority) flag, to be bypassed, which would enable them to use a valid leaf certificate to act as a CA and issue an invalid certificate. IV. Workaround No workaround is available. NOTE WELL: This issue does not affect earlier FreeBSD releases, including the supported 8.4, 9.3 and 10.1-RELEASE because the alternative certificate chain feature was not introduced in these releases. Only 10.1-STABLE after 2015-06-11 and prior to the correction date is affected. V. Solution Upgrade your vulnerable system to the latest supported FreeBSD stable/10 branch dated after the correction date. Recompile the operating system using buildworld and installworld as described in URL:https://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r285330 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://www.openssl.org/news/secadv_20150709.txt URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:12.openssl.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVnq6lAAoJEO1n7NZdz2rntOsP/A07ZJWDt2DpN5h2En0fE+tL tIB2uSV0pcoUAZExLjft5IDMau/zbZd/JFXczR5RRollu0jaETcpWYzXzjtAQ4IG ZEKwvjdThN0naKk0F0DOjAm84ukIds9zR4JZ2KpJmzZnChzZYoF21ZkGPBMMlVhZ 4T9GNTiphdz3HsWx57r2WSapMlys0U0f32xOfYr1iUMRVkNNJfnkFSSxA2MEwuBl /HzVLYOpVEGn/V3I+USQ1KmwMhTtJ+JY6WQlv0k/UKgrQHjdsKjoDwMwWT7UJgPZ j7bvYKftXMYl22KDTlyvZA1c0YZ8kyP9bd+dz6NogCgiNUcIux/wTgMmbnbauZXb pV+MAAAXKfeUoU94qXRD0QHRDXYt34buSswTtPI3LuVeLkqVk/ZdQATZYqMmCcCZ 4XNtdefKN/HZIq9Lx5N1F1a4MQn3MgbNPUNRfDLtwDFp2w9nMA2XoP8j4oLHul3z umFwrEDtO8yojjj6qFGaAjpKktwYfq7/+ISFTYFpWLO3pb2QUw+3S+rWmrclyyd9 xMOt2+tMpq46ESydmDSBXkgEQ6yL5XWA4FY+6VvWJrhM49DiP+FzpxZMpAKDHFmf 55L1mjSttHxU3G6/b1VPkRnphgqG03j1+nmyL+fIjHGa1ojvInzxuGcDgAJvUWkc kMEkVjlnca3CDs5zADOX =iBF6 -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-15:11.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:11.bind Security Advisory The FreeBSD Project Topic: BIND resolver remote denial of service when validating Category: contrib Module: bind Announced: 2015-07-07 Credits:ISC Affects:FreeBSD 8.4 and FreeBSD 9.3. Corrected: 2015-07-07 21:43:23 UTC (stable/9, 9.3-STABLE) 2015-07-07 21:44:01 UTC (releng/9.3, 9.3-RELEASE-p19) 2015-07-07 21:43:23 UTC (stable/8, 8.4-STABLE) 2015-07-07 21:44:01 UTC (releng/8.4, 8.4-RELEASE-p33) CVE Name: CVE-2015-4620 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocol. The named(8) daemon is an Internet Domain Name Server. The libdns library is a library of DNS protocol support functions. II. Problem Description Due to a software defect, specially constructed zone data could cause named(8) to crash with an assertion failure and rejecting the malformed query when DNSSEC validation is enabled. III. Impact An attacker who can cause specific queries to be sent to a nameserver could cause named(8) to crash, resulting in a denial of service. IV. Workaround No workaround is available, but hosts not running named(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-15:11/bind-9.patch # fetch https://security.FreeBSD.org/patches/SA-15:11/bind-9.patch.asc # gpg --verify bind-9.patch.asc [FreeBSD 8.4] # fetch https://security.FreeBSD.org/patches/SA-15:11/bind-8.patch # fetch https://security.FreeBSD.org/patches/SA-15:11/bind-8.patch.asc # gpg --verify bind-8.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:https://www.FreeBSD.org/handbook/makeworld.html. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r285257 releng/8.4/ r285258 stable/9/ r285257 releng/9.3/ r285258 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://kb.isc.org/article/AA-01267/ URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4620 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:11.bind.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.5 (FreeBSD) iQIcBAEBCgAGBQJVnEi/AAoJEO1n7NZdz2rnw4cP/jg5odJDqjzynxVweq+rCo7q 10Wwa5Is3BOFAMxE+qVvIyjPKwBTlYOud4Lwp9+6GXpEa6DQDTrqwGsgsEKsqrNN WF8mfOhsSSHuhKNdcCT3+9/ERhdS6JwmvIgMhmEvBAWhf2HA6FRPQ1J6TP0ZoGKm 0x745/cqiYM4eCwH8kbC1tmMYBHqYapuI9aTZ8iuiddBR1lunE03GVlNn1A6e2U6 CUt6rHNslup4C7sGq6fBt/5qlJZ4yOGCXHDys9l0OSeYUfKohbDi2TILhoMhio2x 8OdFIdr5U7sOtLPirbfLAUTb1C/H/BsKZfIX3Ff7iZQruVQrU4hKR1hd+GjZQb2G 5foI9jP3AIRZ3xaHjH0Y95/4diJz+nauH5BTeD9OLGJC3Mg/NsVVtoflg3o+AWKn 692ovG1csdkT598K0VV7Kp36n4tR43SPFZ8bqo8TMdt40H9imaN7ghXOFhpG1Yw8 A6EU/yHJ5Jn9XyGM0E803pFodZEQk8wM8/LllA1txz85eDy+6HOQsxJeROcwJFeH rtzJ6bweqV3keJPkP/AR+QLqFMEbySHp2al7uGAIHyd/3fGlvWhP10CTyxvG7ucY Ak9PwH11UTw