From nobody Wed Nov 03 22:44:29 2021 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0F7781829BFD for ; Wed, 3 Nov 2021 22:44:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Hl1zd6bLvz3GtD; Wed, 3 Nov 2021 22:44:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C212120BD6; Wed, 3 Nov 2021 22:44:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1A3MiTSj019663; Wed, 3 Nov 2021 22:44:29 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1A3MiTaE019662; Wed, 3 Nov 2021 22:44:29 GMT (envelope-from git) Date: Wed, 3 Nov 2021 22:44:29 GMT Message-Id: <202111032244.1A3MiTaE019662@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: eb228f6747 - main - Add EN-21:26 through EN-21:29. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: eb228f6747b7a6b02148cee8cde337a033be56e4 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by gordon (src committer): URL: https://cgit.FreeBSD.org/doc/commit/?id=eb228f6747b7a6b02148cee8cde337a033be56e4 commit eb228f6747b7a6b02148cee8cde337a033be56e4 Author: Gordon Tetlow AuthorDate: 2021-11-03 22:43:58 +0000 Commit: Gordon Tetlow CommitDate: 2021-11-03 22:43:58 +0000 Add EN-21:26 through EN-21:29. Approved by: so --- website/data/security/errata.toml | 16 + .../advisories/FreeBSD-EN-21:26.libevent.asc | 132 + .../advisories/FreeBSD-EN-21:27.caroot.asc | 154 + .../security/advisories/FreeBSD-EN-21:28.vmci.asc | 145 + .../advisories/FreeBSD-EN-21:29.tzdata.asc | 168 + .../security/patches/EN-21:26/libevent.patch | 10 + .../security/patches/EN-21:26/libevent.patch.asc | 16 + .../security/patches/EN-21:27/caroot.12.patch | 6734 ++++++++++++++++++++ .../security/patches/EN-21:27/caroot.12.patch.asc | 16 + .../security/patches/EN-21:27/caroot.13.patch | 6374 ++++++++++++++++++ .../security/patches/EN-21:27/caroot.13.patch.asc | 16 + .../static/security/patches/EN-21:28/vmci.patch | 138 + .../security/patches/EN-21:28/vmci.patch.asc | 16 + .../security/patches/EN-21:29/tzdata-2021a3.patch | 205 + .../patches/EN-21:29/tzdata-2021a3.patch.asc | 16 + 15 files changed, 14156 insertions(+) diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 4cc5b7ccfa..c74f581696 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,22 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-21:29.tzdata" +date = "2021-11-03" + +[[notices]] +name = "FreeBSD-EN-21:28.vmci" +date = "2021-11-03" + +[[notices]] +name = "FreeBSD-EN-21:27.caroot" +date = "2021-11-03" + +[[notices]] +name = "FreeBSD-EN-21:26.libevent" +date = "2021-11-03" + [[notices]] name = "FreeBSD-EN-21:25.bhyve" date = "2021-08-24" diff --git a/website/static/security/advisories/FreeBSD-EN-21:26.libevent.asc b/website/static/security/advisories/FreeBSD-EN-21:26.libevent.asc new file mode 100644 index 0000000000..a169171d52 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-21:26.libevent.asc @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-21:26.libevent Errata Notice + The FreeBSD Project + +Topic: libevent1 ABI breakage + +Category: core +Module: libevent1 +Announced: 2021-11-03 +Affects: FreeBSD 13.0 +Corrected: 2021-04-01 17:29:20 UTC (stable/13, 13.0-STABLE) + 2021-11-03 20:37:22 UTC (releng/13.0, 13.0-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +libevent1 is a version of libevent in the base system used in ftp-proxy(8) and +ypldap(8). + +II. Problem Description + +libevent1 maintains a local copy of some structure definitions from system +headers to simplify consumers of the library. One of these structures no +longer matched the corresponding system definition, causing inconsistent views +of the `struct event` and `struct bufferevent` layouts. + +III. Impact + +ftp-proxy(8) will no longer handle incoming connections, ypldap(8) is likely +affected as well. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. No reboot will be required, +but ftp-proxy and ypldap will need to be restarted. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-21:26/libevent.patch +# fetch https://security.FreeBSD.org/patches/EN-21:26/libevent.patch.asc +# gpg --verify libevent.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ e0ad785a5d29 stable/13-n245086 +releng/13.0/ 5cd45ad4784b releng/13.0-n244761 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmGDD8QACgkQ05eS9J6n +5cJe9g/6A2NIX4/0rlO0gGzTvYcRGb/0aAiR58mcinn5SNPVN40kzG93iq8AxKhq +h9U2BtM/KZEIgbmwaltoQWQUrzHwF/K1pKFo6+u1nNSSbUy3dLV+rIDKXSinNND6 +vPkZIZbVBIsEWvMRbLexuuBI9QT+jEQFrMnRKocEXp3Yr0eooEzpseKUEfAS5yvt ++WlbN4m7lwCnod8gCT7phKATPfQZ1aKj46z5f99qc1+VyJ3323uI//1LsN9A7ra5 +sWW40FeNfbxKweaqgYZRqdwPvxtwh7luQGWBTk/2uQZ7yxEKLgGp5mRkIYG8GQsM +d3gvGgw0ZUuRAjlA9io10T1Drb31pOR8/7aeD3EtsnBNEc3+M7OSOju5C1bU3put +zAvForqifSq45wMTnW3CbsMdurq2JKhhAwpYXFib19Lv2yKVWNTOrtR6MGtbBv9b +KSsJw2w8xLVN1/xGCtbrd4qZQhakQijyoqgG4reP1J+mw073WJVJMRG29YDvDcwD +Zu+rAVlO7dz/uQZKowQJrWh4+kKxZCRbBPIQiQUxQ1T5XsCrQ6DNzvNZHuRWWoDs +KV43T2RNgq70ur1sX4L+VSU0RVx4q9akGSD0lEl8pb/OvbEwCTWzs+UmjdpiTnUS +b8ySlj56z6/yTpAVjQsHQijTCOy8L/uaVd2sXlr4sfDnbL+2mgg= +=oYzJ +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-21:27.caroot.asc b/website/static/security/advisories/FreeBSD-EN-21:27.caroot.asc new file mode 100644 index 0000000000..2c7c5f51be --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-21:27.caroot.asc @@ -0,0 +1,154 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-21:27.caroot Errata Notice + The FreeBSD Project + +Topic: Root certificate bundle update + +Category: core +Module: caroot +Announced: 2021-11-03 +Affects: FreeBSD 12.2 and later. +Corrected: 2021-09-04 07:39:07 UTC (stable/13, 13.0-STABLE) + 2021-11-03 20:37:26 UTC (releng/13.0, 13.0-RELEASE-p5) + 2021-09-04 07:39:03 UTC (stable/12, 12.2-STABLE) + 2021-11-03 20:55:26 UTC (releng/12.2, 12.2-RELEASE-p11) + +Note: Systems running FreeBSD 12.3-BETA are unaffected. + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The root certificate bundle is the trust store that is used by OpenSSL +programs and libraries to aide in determining whether it should trust +a given TLS certificate. + +II. Problem Description + +Several certificates were removed from the bundle after the latest release +of FreeBSD 12.2 and FreeBSD 13.0. Additionally, an oversight in the root +bundle processor included some roots that were not intended to be trusted for +these purposes (SERVER_AUTH). + +III. Impact + +Certificates are often removed from the root bundle due to a failure to +meet the standards established by Mozilla for being considered a trusted +Certificate Authority. Continuing to trust roots despite their removal from +the bundle should be considered risky. + +IV. Workaround + +No workaround is available. Software that uses an internal trust store +is not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.0] +# fetch https://security.FreeBSD.org/patches/EN-21:27/caroot.13.patch +# fetch https://security.FreeBSD.org/patches/EN-21:27/caroot.13.patch.asc +# gpg --verify caroot.13.patch.asc + +[FreeBSD 12.2] +# fetch https://security.FreeBSD.org/patches/EN-21:27/caroot.12.patch +# fetch https://security.FreeBSD.org/patches/EN-21:27/caroot.12.patch.asc +# gpg --verify caroot.12.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all applications that may be using OpenSSL, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 62aaa70143a6 stable/13-n247098 +releng/13.0/ b76aaa35423e releng/13.0-n244762 +stable/12/ r370507 +releng/12.2/ r370978 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmGDD88ACgkQ05eS9J6n +5cKyaA//RQJ2wYygqL8o9iQK9FAl+gZO8x9C7Vlbgj1PBe0VHxlKoEmE48Iu4+vi +56DR0rgPflx4EdqStFYzkjWnwIEhWGCJLIxFnDpL15/b3cxYoD+R9ipF3qt8ljz+ +Yyuw0NCCgyq36IfJMThQ3pKBOBbY8Bw4GLHAJE790AqXY+wIdUKdo+DxzYj/NcyS +kbis9f+PCGPoDXSf4wMIj2IbE5LiMZbM6NF9QkmPE1ZzOh9eegsO2opm1FWE8UyD +43i3HkpnBbKooq9yE/MpldrUH3+4VWiXpD0FtBMUY65ZMBSw2ddzzvupQ8jROkQq +F6ZB4nwAVLwCiq7Yvwg5gTFyy6KUywdYs211R3SycjHwMoyCZOPLLFPqM1vio8u+ +Z1TItxKfW0/MT0yTQFNQK6CAPd92Co3mmEGKzPmvbxwK7idfB2lgFjExCeF3FwVU +guUeIDTXDKQ+V0nynWERmDdI1S3x9bllZzIMU23BuuwKZDdR+lPJiKX1vUXmpe8p +lmISyCVIg+0bIRL4WNAqceAIuUA/7zLCtCWF4OEl6utmb7hWVxmPH8GyjyzktLWh +BwwHCspeT2h5y1leCVXigFv9nGgTj+kDXtgE4itIJXRPiliQ2j9VueGOe/I0gS/4 +9R2ro6t4UIi/E4T7Mp+oaiOGKARnE3Uf2aAelQbt9Do68taqTSU= +=9hM5 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-21:28.vmci.asc b/website/static/security/advisories/FreeBSD-EN-21:28.vmci.asc new file mode 100644 index 0000000000..d4ec4fd0ff --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-21:28.vmci.asc @@ -0,0 +1,145 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-21:28.vmci Errata Notice + The FreeBSD Project + +Topic: Fix kernel panic in vmci driver initialization + +Category: core +Module: vmci +Announced: 2021-11-03 +Affects: FreeBSD 12.x, FreeBSD 13.0 +Corrected: 2021-10-16 18:22:43 UTC (stable/13, 13.0-STABLE) + 2021-11-03 20:40:19 UTC (releng/13.0, 13.0-RELEASE-p5) + 2021-10-17 18:51:19 UTC (stable/12, 12.2-STABLE) + 2021-11-03 20:55:32 UTC (releng/12.2, 12.2-RELEASE-p11) + +Note: Systems running FreeBSD 12.3-BETA are unaffected. + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The vmci(4) driver implements VMware Virtual Machine Communication Interface +for FreeBSD. It allows virtual machines to communicate with host kernel modules +and VMware hypervisors. + +II. Problem Description + +An error during driver initialization results in a kernel panic due to unallocated +resources being freed up. + +III. Impact + +The vmci(4) driver is loaded automatically by devd when the system is being +run on the VMWare hypervisor. The kernel panic happens at the system boot stage. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-21:28/vmci.patch +# fetch https://security.FreeBSD.org/patches/EN-21:28/vmci.patch.asc +# gpg --verify vmci.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 4e5c1be4202a stable/13-n247688 +releng/13.0/ 847819dca14d releng/13.0-n244763 +stable/12/ r370935 +releng/12.2/ r370979 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmGDD9AACgkQ05eS9J6n +5cLAKxAApP3naU6wV6gwTGIVfugBt74TG6Q3thkg8mWqFUIRnpBgHH5yBrP7SESu +N07Y21Z84tNzOoQtZs1MrF2gfW8KUdBC80wIT+1I8fEmteX/+8/6CKsu0JRh//n4 +8YXf5/BjqgC2aQXfm0Zp4ddKLymmq1rLrxJcjOGqlrVsxXgSyh/ExUbpM/vIUBDi +DKSpK0zjv+54R0B3ihWM2+qRmMEMKEAwxNTm3IKVUyZymYm7SpLpKZetE9GFOmKU +1AFlTomJmxbPcSGR2APu0R8xHf+wZIMiw1SqJR8bBrXxHjoVTrjl+PosIlX9jakE +S9V0xbnVBSxsmIOfEXw3U8Q+AYCQ3bQXXJ1E6YmKCpOcqKYF8wC+iD7Q/OHzUCFE +Hrnf8mNJHdZ8QK3WjdzfLwR2JAQ6yVJ2F2Bojqp+wwBIX+/Sq/mGPsZMVPVImdXj +9OOo+O+nZmBVqRHcLeis/GOy7CdPlnVQOxdhMcR4DMv739dJwKDYb0iYHw86KM++ +3RNbJk89TSHGYGR4bKNZsDtq+9UUclBqwZesZSVDsgyB4gJvmqeBbV1g21yVdjw8 +ZvUI7MgI/4IB3Ac8qH5XSYdfUDZtDqzcjo6FnK/cEOYKFAgTPsCbBbbi3lZHoV9y +Hz1Hwg0mqS1VEIUh8ipMTIod3yBiGoYEMiF4TGhpJhn100LaVFQ= +=+4Iy +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-21:29.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-21:29.tzdata.asc new file mode 100644 index 0000000000..5da76853cf --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-21:29.tzdata.asc @@ -0,0 +1,168 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-21:29.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2021-11-03 +Affects: All supported versions of FreeBSD. +Corrected: 2021-10-25 01:09:01 UTC (stable/13, 13.0-STABLE) + 2021-11-03 20:44:52 UTC (releng/13.0, 13.0-RELEASE-p5) + 2021-10-25 01:09:08 UTC (stable/12, 12.3-STABLE) + 2021-10-25 01:12:50 UTC (releng/12.3, 12.3-BETA1) + 2021-11-03 20:55:36 UTC (releng/12.2, 12.2-RELEASE-p11) + +Note: Systems running FreeBSD 12.3-BETA1 are affected, however 12.3-BETA2 + and later are already remediated. + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The tzsetup(8) program allows the user to specify the default local timezone. +Based on the selected timezone, tzsetup(8) copies one of the files from +/usr/share/zoneinfo to /etc/localtime. This file actually controls the +conversion. + +II. Problem Description + +Several changes in Daylight Saving Time transition dates happened after +previous FreeBSD releases were released affecting many users in different +parts of the world. Because of these changes, the data in the zoneinfo files +need to be updated, and if the local timezone on the running system is +affected, tzsetup(8) needs to be run so the /etc/localtime is updated. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected timezones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated timezone database from the +misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected. + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +V. Solution + +Please note that some third party software, for instance PHP, Ruby, Java, Perl +and Python, may be using different zoneinfo data source, in such cases this +software must be updated separately. Software packages that are installed via +binary packages can be upgraded by executing `pkg upgrade'. + +Following the instructions in this Errata Notice will update all of the +zoneinfo files to be the same as what was released with FreeBSD release. + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. Restart all the affected +applications and daemons, or reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-21:29/tzdata-2021a3.patch +# fetch https://security.FreeBSD.org/patches/EN-21:29/tzdata-2021a3.patch.asc +# gpg --verify tzdata-2021a3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ ed325e2ec2dc stable/13-n247816 +releng/13.0/ 11754a61115f releng/13.0-n244764 +stable/12/ r370968 +releng/12.3/ r370969 +releng/12.2/ r370980 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmGDD9AACgkQ05eS9J6n +5cLIrg/+L/OYcepPmR4va4+0Q+vv90D0lsZGH/So6FJ2aa8zXdAmpQJaA5g+cptW +pwwOPa58UzOVCuIZSlAsBubqj9XPT/LUFN0FxcsduyHf0izf2+tfjS/RsmOtzCD0 +muE5UwIDQwXdmDNnyWnrdBbBW94nqD3BU526LbG/RkmKumDgd4wPIuGsbFAcSiAW +BVyrZQXdttyw6ZK7I7YxITsXtqrCMmYwDm4ZpnI+iLzh5droQxf7S2ejMTyKLPxQ +mRNHQxa+TAVWZUyLDPT6mZc9yWzuM0huuIl70iTaz59SFcs2/s4Qw+J2WTVammsl +4FzVoFjLD9/Bkx2JyghC5MD45XE5oHrxQ2duL6TLgqu1ZnN1EUvw8AS9TRD51pEP +6ryG9OZ5ICpaiEniEbgfuvzbM3sJm0DwA84LVahpVD7fCflzimn4NESz6UyVDp86 +B9l1O2yRLpaMz5CIUBI9yRI7QefK2em3PE19n0/JGYZbSMOd5J9no3692vIMZhS9 +xEgUCRTpr68s2df+liXK1oKJe6v8uZWIeptINGLA9aHfYPw4pI4jYN67S93mhqXc +ORO9VPTeJPrmmn82/fpPKFRZsi8nE+pHatCYeKwLA1ZiClDJo+nTcdIP8jMJAixW +S1yDx0acbOWth7NzgRf3bdA3NZ9Vp8jX0oxmYYbJxQjh4K+mwRY= +=uW9d +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-21:26/libevent.patch b/website/static/security/patches/EN-21:26/libevent.patch new file mode 100644 index 0000000000..5cdc37d825 --- /dev/null +++ b/website/static/security/patches/EN-21:26/libevent.patch @@ -0,0 +1,10 @@ +--- contrib/pf/libevent/event.h.orig ++++ contrib/pf/libevent/event.h +@@ -73,7 +73,6 @@ + struct type *rbe_left; /* left element */ \ + struct type *rbe_right; /* right element */ \ + struct type *rbe_parent; /* parent element */ \ +- int rbe_color; /* node color */ \ + } + #endif /* !RB_ENTRY */ + diff --git a/website/static/security/patches/EN-21:26/libevent.patch.asc b/website/static/security/patches/EN-21:26/libevent.patch.asc new file mode 100644 index 0000000000..aefeb09f3d --- /dev/null +++ b/website/static/security/patches/EN-21:26/libevent.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmGDD88ACgkQ05eS9J6n +5cLSDxAAmQxhTq0KDh6Sde2t92VLvkAj4WZbRnSCMP7fkqqd7YoC05/ptINbM2+I +vB8SakIx8Ic5AUqniF43wRnTz1V4XIeM9f0iZyZyy+ksMB0hYPVVdx1AjWrCWDfA +wEF38MoWXk4EPDinBL9QCfa85Vq0beivdcIFMbiDal1X6zK3iDATq8qNSX+ChshP +Xno2QCCPwoZjPpZhRpb+j4MGP8Ro+jCJuawzwhsm999MbAF4GzKZqAzdF8i8oTda +RHF9blnqo4Q3ENMfBs6pdKcxaymu+E82GioHqpEUkZdmQzcW2z15TBcX405Zbl8/ +vGeY7GMhTr7JDvw324bYdpRoDaO2HbBrDGaowCo1PgsAUKsat0qqGIzZ5aS22tPt +DIixovSuGe8u1n21l3SX1LKmrVGfhLjl3IH8DHWrYxOMhI1iAQ42qDtD+kTUc5zS +vNdGno1CBlCGKqUOwUlwJSE+hSxYV3+NOuqzunv5eHmnfwlEa4AtNZqx6NCBEcnt +T9PCpEa3fIB5HiHGD1mFm8Zyjnk6kwdnUpnQeQKcYz+ShkjytXQ7tR79W+XdTSgf +H6HDWEYGF1oRN+et/I/TgspdFcvq036xAFX7XzOFrp/93cZkPS2Dddwow7rzKGPK +I/NpXu0tHiUwrkZu5BXmbuqLyLRRVQjsTehJGfKve9gdlWYZiEA= +=tm73 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-21:27/caroot.12.patch b/website/static/security/patches/EN-21:27/caroot.12.patch new file mode 100644 index 0000000000..b41f372bab --- /dev/null +++ b/website/static/security/patches/EN-21:27/caroot.12.patch @@ -0,0 +1,6734 @@ +--- secure/caroot/MAca-bundle.pl.orig ++++ secure/caroot/MAca-bundle.pl +@@ -76,6 +76,8 @@ + ## Authority (CA). It was automatically extracted from Mozilla's + ## root CA list (the file `certdata.txt' in security/nss). + ## ++## It contains a certificate trusted for server authentication. ++## + ## Extracted from nss + ## with $VERSION + ## +@@ -91,6 +93,8 @@ + ## Authorities (CA). These were automatically extracted from Mozilla's + ## root CA list (the file `certdata.txt'). + ## ++## It contains certificates trusted for server authentication. ++## + ## Extracted from nss + ## with $VERSION + ## +@@ -100,6 +104,13 @@ + } + } + ++# returns a string like YYMMDDhhmmssZ of current time in GMT zone ++sub timenow() ++{ ++ my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time); ++ return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec; ++} ++ + sub printcert($$$) + { + my ($fh, $label, $certdata) = @_; +@@ -110,6 +121,8 @@ + close(OUT) or die "openssl x509 failed with exit code $?"; + } + ++# converts a datastream that is to be \177-style octal constants ++# from <> to a (binary) string and returns it + sub graboct($) + { + my $ifh = shift; +@@ -125,13 +138,13 @@ + return $data; + } + +- + sub grabcert($) + { + my $ifh = shift; + my $certdata; +- my $cka_label; +- my $serial; ++ my $cka_label = ''; ++ my $serial = 0; ++ my $distrust = 0; + + while (<$ifh>) { + chomp; +@@ -148,6 +161,19 @@ + if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { + $serial = graboct($ifh); + } ++ ++ if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/) ++ { ++ my $distrust_after = graboct($ifh); ++ my $time_now = timenow(); ++ if ($time_now >= $distrust_after) { $distrust = 1; } ++ if ($debug) { ++ printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow(); ++ } ++ if ($distrust) { ++ return undef; ++ } ++ } + } + return ($serial, $cka_label, $certdata); + } +@@ -171,13 +197,13 @@ + $serial = graboct($ifh); + } + +- if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/) ++ if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/) + { +- if ($2 eq 'CKT_NSS_NOT_TRUSTED') { ++ if ($1 eq 'CKT_NSS_NOT_TRUSTED') { + $distrust = 1; +- } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') { ++ } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') { + $maytrust = 1; +- } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') { ++ } elsif ($1 ne 'CKT_NSS_MUST_VERIFY_TRUST') { + confess "Unknown trust setting on line $.:\n" + . "$_\n" + . "Script must be updated:"; +@@ -197,16 +223,22 @@ + print_header(*STDOUT, ""); + } + ++my $untrusted = 0; ++ + while (<$inputfh>) { + if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { + my ($serial, $label, $certdata) = grabcert($inputfh); + if (defined $certs{$label."\0".$serial}) { + warn "Certificate $label duplicated!\n"; + } +- $certs{$label."\0".$serial} = $certdata; +- # We store the label in a separate hash because truncating the key +- # with \0 was causing garbage data after the end of the text. +- $labels{$label."\0".$serial} = $label; ++ if (defined $certdata) { ++ $certs{$label."\0".$serial} = $certdata; ++ # We store the label in a separate hash because truncating the key ++ # with \0 was causing garbage data after the end of the text. ++ $labels{$label."\0".$serial} = $label; ++ } else { # $certdata undefined? distrust_after in effect ++ $untrusted ++; ++ } + } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) { + my ($serial, $label, $trust) = grabtrust($inputfh); + if (defined $trusts{$label."\0".$serial}) { +@@ -226,7 +258,6 @@ + } + + # weed out untrusted certificates +-my $untrusted = 0; + foreach my $it (keys %trusts) { + if (!$trusts{$it}) { + if (!exists($certs{$it})) { +--- /dev/null ++++ secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem +@@ -0,0 +1,112 @@ ++## ++## Camerfirma Chambers of Commerce Root ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## Extracted from nss ++## with $FreeBSD$ ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 0 (0x0) ++ Signature Algorithm: sha1WithRSAEncryption ++ Issuer: C = EU, O = AC Camerfirma SA CIF A82743287, OU = http://www.chambersign.org, CN = Chambers of Commerce Root ++ Validity ++ Not Before: Sep 30 16:13:43 2003 GMT ++ Not After : Sep 30 16:13:44 2037 GMT ++ Subject: C = EU, O = AC Camerfirma SA CIF A82743287, OU = http://www.chambersign.org, CN = Chambers of Commerce Root ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ RSA Public-Key: (2048 bit) ++ Modulus: ++ 00:b7:36:55:e5:a5:5d:18:30:e0:da:89:54:91:fc: ++ c8:c7:52:f8:2f:50:d9:ef:b1:75:73:65:47:7d:1b: ++ 5b:ba:75:c5:fc:a1:88:24:fa:2f:ed:ca:08:4a:39: ++ 54:c4:51:7a:b5:da:60:ea:38:3c:81:b2:cb:f1:bb: ++ d9:91:23:3f:48:01:70:75:a9:05:2a:ad:1f:71:f3: ++ c9:54:3d:1d:06:6a:40:3e:b3:0c:85:ee:5c:1b:79: ++ c2:62:c4:b8:36:8e:35:5d:01:0c:23:04:47:35:aa: ++ 9b:60:4e:a0:66:3d:cb:26:0a:9c:40:a1:f4:5d:98: ++ bf:71:ab:a5:00:68:2a:ed:83:7a:0f:a2:14:b5:d4: ++ 22:b3:80:b0:3c:0c:5a:51:69:2d:58:18:8f:ed:99: ++ 9e:f1:ae:e2:95:e6:f6:47:a8:d6:0c:0f:b0:58:58: ++ db:c3:66:37:9e:9b:91:54:33:37:d2:94:1c:6a:48: ++ c9:c9:f2:a5:da:a5:0c:23:f7:23:0e:9c:32:55:5e: ++ 71:9c:84:05:51:9a:2d:fd:e6:4e:2a:34:5a:de:ca: ++ 40:37:67:0c:54:21:55:77:da:0a:0c:cc:97:ae:80: ++ dc:94:36:4a:f4:3e:ce:36:13:1e:53:e4:ac:4e:3a: ++ 05:ec:db:ae:72:9c:38:8b:d0:39:3b:89:0a:3e:77: ++ fe:75 ++ Exponent: 3 (0x3) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE, pathlen:12 ++ X509v3 CRL Distribution Points: ++ ++ Full Name: ++ URI:http://crl.chambersign.org/chambersroot.crl ++ ++ X509v3 Subject Key Identifier: ++ E3:94:F5:B1:4D:E9:DB:A1:29:5B:57:8B:4D:76:06:76:E1:D1:A2:8A ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ Netscape Cert Type: ++ SSL CA, S/MIME CA, Object Signing CA ++ X509v3 Subject Alternative Name: ++ email:chambersroot@chambersign.org ++ X509v3 Issuer Alternative Name: ++ email:chambersroot@chambersign.org ++ X509v3 Certificate Policies: ++ Policy: 1.3.6.1.4.1.17326.10.3.1 ++ CPS: http://cps.chambersign.org/cps/chambersroot.html ++ ++ Signature Algorithm: sha1WithRSAEncryption ++ 0c:41:97:c2:1a:86:c0:22:7c:9f:fb:90:f3:1a:d1:03:b1:ef: ++ 13:f9:21:5f:04:9c:da:c9:a5:8d:27:6c:96:87:91:be:41:90: ++ 01:72:93:e7:1e:7d:5f:f6:89:c6:5d:a7:40:09:3d:ac:49:45: ++ 45:dc:2e:8d:30:68:b2:09:ba:fb:c3:2f:cc:ba:0b:df:3f:77: ++ 7b:46:7d:3a:12:24:8e:96:8f:3c:05:0a:6f:d2:94:28:1d:6d: ++ 0c:c0:2e:88:22:d5:d8:cf:1d:13:c7:f0:48:d7:d7:05:a7:cf: ++ c7:47:9e:3b:3c:34:c8:80:4f:d4:14:bb:fc:0d:50:f7:fa:b3: ++ ec:42:5f:a9:dd:6d:c8:f4:75:cf:7b:c1:72:26:b1:01:1c:5c: ++ 2c:fd:7a:4e:b4:01:c5:05:57:b9:e7:3c:aa:05:d9:88:e9:07: ++ 46:41:ce:ef:41:81:ae:58:df:83:a2:ae:ca:d7:77:1f:e7:00: ++ 3c:9d:6f:8e:e4:32:09:1d:4d:78:34:78:34:3c:94:9b:26:ed: ++ 4f:71:c6:19:7a:bd:20:22:48:5a:fe:4b:7d:03:b7:e7:58:be: ++ c6:32:4e:74:1e:68:dd:a8:68:5b:b3:3e:ee:62:7d:d9:80:e8: ++ 0a:75:7a:b7:ee:b4:65:9a:21:90:e0:aa:d0:98:bc:38:b5:73: ++ 3c:8b:f8:dc ++SHA1 Fingerprint=6E:3A:55:A4:19:0C:19:5C:93:84:3C:C0:DB:72:2E:31:30:61:F0:B1 ++-----BEGIN CERTIFICATE----- ++MIIEvTCCA6WgAwIBAgIBADANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJFVTEn ++MCUGA1UEChMeQUMgQ2FtZXJmaXJtYSBTQSBDSUYgQTgyNzQzMjg3MSMwIQYDVQQL ++ExpodHRwOi8vd3d3LmNoYW1iZXJzaWduLm9yZzEiMCAGA1UEAxMZQ2hhbWJlcnMg ++b2YgQ29tbWVyY2UgUm9vdDAeFw0wMzA5MzAxNjEzNDNaFw0zNzA5MzAxNjEzNDRa ++MH8xCzAJBgNVBAYTAkVVMScwJQYDVQQKEx5BQyBDYW1lcmZpcm1hIFNBIENJRiBB ++ODI3NDMyODcxIzAhBgNVBAsTGmh0dHA6Ly93d3cuY2hhbWJlcnNpZ24ub3JnMSIw ++IAYDVQQDExlDaGFtYmVycyBvZiBDb21tZXJjZSBSb290MIIBIDANBgkqhkiG9w0B ++AQEFAAOCAQ0AMIIBCAKCAQEAtzZV5aVdGDDg2olUkfzIx1L4L1DZ77F1c2VHfRtb ++unXF/KGIJPov7coISjlUxFF6tdpg6jg8gbLL8bvZkSM/SAFwdakFKq0fcfPJVD0d ++BmpAPrMMhe5cG3nCYsS4No41XQEMIwRHNaqbYE6gZj3LJgqcQKH0XZi/caulAGgq ++7YN6D6IUtdQis4CwPAxaUWktWBiP7Zme8a7ileb2R6jWDA+wWFjbw2Y3npuRVDM3 ++0pQcakjJyfKl2qUMI/cjDpwyVV5xnIQFUZot/eZOKjRa3spAN2cMVCFVd9oKDMyX ++roDclDZK9D7ONhMeU+SsTjoF7Nuucpw4i9A5O4kKPnf+dQIBA6OCAUQwggFAMBIG ++A1UdEwEB/wQIMAYBAf8CAQwwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5j ++aGFtYmVyc2lnbi5vcmcvY2hhbWJlcnNyb290LmNybDAdBgNVHQ4EFgQU45T1sU3p ++26EpW1eLTXYGduHRooowDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIA ++BzAnBgNVHREEIDAegRxjaGFtYmVyc3Jvb3RAY2hhbWJlcnNpZ24ub3JnMCcGA1Ud ++EgQgMB6BHGNoYW1iZXJzcm9vdEBjaGFtYmVyc2lnbi5vcmcwWAYDVR0gBFEwTzBN ++BgsrBgEEAYGHLgoDATA+MDwGCCsGAQUFBwIBFjBodHRwOi8vY3BzLmNoYW1iZXJz ++aWduLm9yZy9jcHMvY2hhbWJlcnNyb290Lmh0bWwwDQYJKoZIhvcNAQEFBQADggEB ++AAxBl8IahsAifJ/7kPMa0QOx7xP5IV8EnNrJpY0nbJaHkb5BkAFyk+cefV/2icZd ++p0AJPaxJRUXcLo0waLIJuvvDL8y6C98/d3tGfToSJI6WjzwFCm/SlCgdbQzALogi ++1djPHRPH8EjX1wWnz8dHnjs8NMiAT9QUu/wNUPf6s+xCX6ndbcj0dc97wXImsQEc ++XCz9ek60AcUFV7nnPKoF2YjpB0ZBzu9Bga5Y34OirsrXdx/nADydb47kMgkdTXg0 ++eDQ8lJsm7U9xxhl6vSAiSFr+S30Dt+dYvsYyTnQeaN2oaFuzPu5ifdmA6Ap1erfu ++tGWaIZDgqtCYvDi1czyL+Nw= ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem +@@ -0,0 +1,112 @@ ++## ++## Camerfirma Global Chambersign Root ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## Extracted from nss ++## with $FreeBSD$ ++## ++## @generated *** 13295 LINES SKIPPED ***