git: 40b6db4afe - main - Add EN-22:28 and SA-22:15. Revise SA-22:14.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 29 Nov 2022 23:36:57 UTC
The branch main has been updated by gordon (src committer):
URL: https://cgit.FreeBSD.org/doc/commit/?id=40b6db4afe1f149f24cfad6b60d9b141c59cbb05
commit 40b6db4afe1f149f24cfad6b60d9b141c59cbb05
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2022-11-29 23:36:25 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2022-11-29 23:36:25 +0000
Add EN-22:28 and SA-22:15. Revise SA-22:14.
Approved by: so
---
website/data/security/advisories.toml | 4 +
website/data/security/errata.toml | 4 +
.../advisories/FreeBSD-EN-22:28.heimdal.asc | 158 ++++++++++++++++++++
.../advisories/FreeBSD-SA-22:14.heimdal.asc | 52 +++++--
.../security/advisories/FreeBSD-SA-22:15.ping.asc | 161 +++++++++++++++++++++
.../static/security/patches/EN-22:28/heimdal.patch | 16 ++
.../security/patches/EN-22:28/heimdal.patch.asc | 16 ++
.../static/security/patches/SA-22:15/ping.patch | 114 +++++++++++++++
.../security/patches/SA-22:15/ping.patch.asc | 16 ++
9 files changed, 526 insertions(+), 15 deletions(-)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 9f761f4ff7..6a3d6ed32c 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,10 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-22:15.ping"
+date = "2022-11-29"
+
[[advisories]]
name = "FreeBSD-SA-22:14.heimdal"
date = "2022-11-15"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index abe9329081..b4a4a7c26d 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,10 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-22:28.heimdal"
+date = "2022-11-29"
+
[[notices]]
name = "FreeBSD-EN-22:27.loader"
date = "2022-11-01"
diff --git a/website/static/security/advisories/FreeBSD-EN-22:28.heimdal.asc b/website/static/security/advisories/FreeBSD-EN-22:28.heimdal.asc
new file mode 100644
index 0000000000..e8fef4cc8a
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:28.heimdal.asc
@@ -0,0 +1,158 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:28.heimdal Errata Notice
+ The FreeBSD Project
+
+Topic: Regression in Heimdal KDC
+
+Category: contrib
+Module: heimdal
+Announced: 2022-11-29
+Affects: All supported versions of FreeBSD.
+Corrected: 2022-11-18 01:09:42 UTC (stable/13, 13.1-STABLE)
+ 2022-11-29 23:04:48 UTC (releng/13.1, 13.1-RELEASE-p5)
+ 2022-11-18 01:10:53 UTC (stable/12, 12.4-STABLE)
+ 2022-11-29 23:19:12 UTC (releng/12.4, 12.4-RC2-p2)
+ 2022-11-29 23:16:21 UTC (releng/12.3, 12.3-RELEASE-p10)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Heimdal implements the Kerberos 5 network authentication protocols.
+
+A Key Distribution Center (KDC) is trusted by all principals registered
+in that administrative "realm" to store a secret key in confidence, of
+which, the proof of knowledge is used to verify the authenticity of a
+principal.
+
+FreeBSD-SA-22:14.heimdal corrected multiple vulnerabilities in the Heimdal
+implementation of the Kerberos 5 network authentication protocols and KDC
+included as part of the FreeBSD base system.
+
+II. Problem Description
+
+The patch released with FreeBSD-SA-22:14.heimdal included an inadvertently
+merged block of code which prevents the KDC from issuing valid tickets.
+
+III. Impact
+
+A system patched with FreeBSD-SA-22:14.heimdal will have a defective KDC.
+
+IV. Workaround
+
+No workaround is available. Systems that were not updated with the patch from
+FreeBSD-SA-22:14.heimdal are not affected. Note that unpatched systems are
+vulnerable to multiple security issues.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+A reboot is recommended.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+A reboot is recommended.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-22:28/heimdal.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:28/heimdal.patch.asc
+# gpg --verify heimdal.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use Kerberos, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ b23fe6badeba stable/13-n253102
+releng/13.1/ 10571c04c9dd releng/13.1-n250173
+stable/12/ r372759
+releng/12.4/ r372779
+releng/12.3/ r372776
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:14.heimdal.asc>
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267827>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:28.heimdal.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlvgACgkQ05eS9J6n
+5cISog/8DVRGrMXWSdmaqa5KpO3SZ1o5mmhZDWYKRxDQZv0puJ6lTus44VtixzM6
+ft1zRe2yQy3YoTtcxho2jY8zppcdg5r4rIR4rXsxIAjufxd53hxmWYXjN6zObxTB
+Owebw+xvJSG5ls020iRECI+YjE32ssXLBI7XkqOVnErF/UmxkTQM86VPHene3WwU
+EhwwM1i7ZUdl/11tGPft975u5waKUFxeRF4jpFLu/pbDqHBoFgY4AT2ivs+6jwaO
+o4X0gBDKDh/xXU7yFSdPfF09PRgSCosPMr8UNWXBlS6WYEmGPiRlS3NDB8EMFDw/
+AElMEqlT55DzdFi4qD91x+FPeIQ+NbJCNjFuZDXv4lZtAvGF/ue4wfxH/ZNcAo06
+SH1tJolwu0l6Q7e/6a+cU7RsonVhv7K2j5DKddoNSZcla/kg9z1IkYGgt0OrtOWn
+eMhuiLNsBZwebWsYWT/MG5nHaL79jWKPy69c+b8yXcpdrpfC4DNVmnTiiHzpus46
+9K4X5aOgCMW6C19hIWvH74s6sWo8ZoEz4BaslJZ7AeHSv6HPGfUZBygtYm739a/J
+U8WN+rRIzsaxHQXts6LF8xroJtUvxQ76TZgK58k/Pma+Xa0vdYLcyqd/XEaFm1CW
+7rLqVzTsHTlOz7JaMLnNm1aY6KKyERnJ94ii+LOjeldCAVWMNE0=
+=aUbR
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-22:14.heimdal.asc b/website/static/security/advisories/FreeBSD-SA-22:14.heimdal.asc
index 93947ecf2c..663a2236bf 100644
--- a/website/static/security/advisories/FreeBSD-SA-22:14.heimdal.asc
+++ b/website/static/security/advisories/FreeBSD-SA-22:14.heimdal.asc
@@ -5,11 +5,12 @@ Hash: SHA512
FreeBSD-SA-22:14.heimdal Security Advisory
The FreeBSD Project
-Topic: Multiple vulnerabilities in Heimdal
+Topic: Multiple vulnerabilities in Heimdal [REVISED]
Category: contrib
Module: heimdal
Announced: 2022-11-15
+Revised: 2022-11-29
Affects: All supported versions of FreeBSD.
Corrected: 2022-11-15 21:15:35 UTC (stable/13, 13.1-STABLE)
2022-11-16 01:50:27 UTC (releng/13.1, 13.1-RELEASE-p4)
@@ -19,6 +20,11 @@ Corrected: 2022-11-15 21:15:35 UTC (stable/13, 13.1-STABLE)
CVE Name: CVE-2019-14870, CVE-2022-3437, CVE-2022-42898,
CVE-2022-44640, CVE-2021-44758
+0. Revision history
+
+v1.0 2022-11-15 Initial release.
+v1.1 2022-11-29 Updated with reference to FreeBSD-EN-22:28.heimdal.
+
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
@@ -97,7 +103,20 @@ b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
-c) Recompile the operating system using buildworld and installworld as
+c) The original revision of this advisory included a patch which renders the
+KDC inoperative. This was corrected in FreeBSD-EN-22:28.heimdal. Systems
+using the KDC must download and verify an additional patch:
+
+# fetch https://security.FreeBSD.org/patches/EN-22:28/heimdal.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:28/heimdal.patch.asc
+# gpg --verify heimdal.patch.asc
+
+d) Apply the additional patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+e) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the Kerberos, or reboot the system.
@@ -153,21 +172,24 @@ VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44640>
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267827>
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:28.heimdal.asc>
+
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:14.heimdal.asc>
-----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmN0Ud0ACgkQ05eS9J6n
-5cKIKA//bRccdsoilKJvyQw9RazwJ0HENGbPF1RdjyG1nmMsp5wG+rqAdnN0LF8p
-SgEqfZjCx+KXNJBkzblKzduFK9VQ211dbjouwd/BVCbMYemUIs1DqobF6uvYnMbn
-vhQ2lUtZ46WbgvjXOcfsHakmCV2V2kCzBFsCKCQFPcYSch5n9gGW+I4cfewF8+fB
-+sjvhz7MDyLaCVB3UpxPUIMc3w/G18zzyhHdhuJOaCrCjf00Mt4Er40ICr+IkRy5
-PpwdX60yvwk3uxzzMyIC5zcS3CD6qFUOaSIXfEuGWGl7Wo7MjoCXECE1sbwLVat8
-K1FJtNIADZJkURzkgjvp9rHQHwZFkLMawrkyik4apHgGsY2pXktZGhcw/qN2BNNn
-uo3HILrjbYK5eU5zLU17FS9X5qTurIcqdVJCIklvjNqW7DAuN3K1I9ryat4w5sST
-ToW5LpLtP9DoI9M9Bh3Mqba629iuXRmQ6LZ6p9EGSFr2i7e3VDEcvMxkGO6Sh8M3
-w67FpqWzeQ1RT2q2YL013emKq6C+oYDjMDDejAqH2Wwwae/7yQiNnXBqvokIXmi4
-KLupHptt0CPFPOFBLloxXBPenYu/49SRWeUoxBqspQuvCY708j1mUntaVtAFm/ax
-QElUUEEmcuJhsBzTzBnS82oe7IRwv3NQm55zkOn+DQZ2HjV/GaY=
-=jmOK
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlpAACgkQ05eS9J6n
+5cJFGQ//TbsJox2faNwQaBoQy/gFSP6TgauZTZJR5A5Y6bRMcvkNJyl3KIM2XlWD
+W+lJlxL7kERjv9zD6iI8rns4+FOO2p9f4ICZsWy88ABQrmpuz2N22MSd8NyXeRv0
+30HyftaUMZdAPHVk5Piu7l3U6S4tPiO1BZEoMucG8cby1eWlPMtuH3K/0/CLZmPc
+F8U+oRDwB5KnZgP39JmvejvGoXik1lhCrvaLZ5fG1QEmyb1xtjHfT+QSkh9FWLxz
+jrHfwgpZFERprpMzqZAicbinV/LjZMfEbckJygzGNzSTTPD+uqT/jDmY+iHnkdF1
+Lw9R8pJoJIpvckRrPLQIOZZuz/Xd4FRB7Gc/q4/x4HTP/8y/x1uKZmcbrh86W9xu
+9jCLMgpqETEjHhqADX7Z4+7oxhCPmgSJP8dX5o0HvORs4bqqxbkLqkCsp8QXdcES
+vftJGgpt1IPO8MBcr4pG6+cEcZQuk7qX0/D3PArxLkwU2coimP2MmjxyeWBX5GrI
+zgdF2HiUYvuZXyt1FMgve+8JkS1RYEE+yPWeOJ5RnIuHnIaNTD81o1gIYuFL3ECb
+UAREi6FYskzeJQ/W2ZRMwQPGMPDQI901+msfStjxgx92rKhxLW+rDsg0EUsApoOv
+DzIaeCtOGCZMG/mLvVhOLYbqmFrHDbWy8cMoSti/lnx7OdLpnn4=
+=L299
-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-22:15.ping.asc b/website/static/security/advisories/FreeBSD-SA-22:15.ping.asc
new file mode 100644
index 0000000000..53807fc550
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-22:15.ping.asc
@@ -0,0 +1,161 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-22:15.ping Security Advisory
+ The FreeBSD Project
+
+Topic: Stack overflow in ping(8)
+
+Category: core
+Module: ping
+Announced: 2022-11-29
+Credits: Tom Jones
+Affects: All supported versions of FreeBSD.
+Corrected: 2022-11-29 22:56:33 UTC (stable/13, 13.1-STABLE)
+ 2022-11-29 23:00:43 UTC (releng/13.1, 13.1-RELEASE-p5)
+ 2022-11-29 22:57:16 UTC (stable/12, 12.4-STABLE)
+ 2022-11-29 23:19:09 UTC (releng/12.4, 12.4-RC2-p2)
+ 2022-11-29 23:16:17 UTC (releng/12.3, 12.3-RELEASE-p10)
+CVE Name: CVE-2022-23093
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+ping(8) is a program that can be used to test reachability of a remote
+host using ICMP messages. To send and receive ICMP messages, ping makes
+use of raw sockets and therefore requires elevated privileges. To make
+ping's functionality available to unprivileged users, it is installed
+with the setuid bit set. When ping runs, it creates the raw socket
+needed to do its work, and then revokes its elevated privileges.
+
+II. Problem Description
+
+ping reads raw IP packets from the network to process responses in the
+pr_pack() function. As part of processing a response ping has to
+reconstruct the IP header, the ICMP header and if present a "quoted
+packet," which represents the packet that generated an ICMP error. The
+quoted packet again has an IP header and an ICMP header.
+
+The pr_pack() copies received IP and ICMP headers into stack buffers
+for further processing. In so doing, it fails to take into account the
+possible presence of IP option headers following the IP header in
+either the response or the quoted packet. When IP options are present,
+pr_pack() overflows the destination buffer by up to 40 bytes.
+
+III. Impact
+
+The memory safety bugs described above can be triggered by a remote
+host, causing the ping program to crash. It may be possible for a
+malicious host to trigger remote code execution in ping.
+
+The ping process runs in a capability mode sandbox on all affected
+versions of FreeBSD and is thus very constrainted in how it can interact
+with the rest of the system at the point where the bug can occur.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch
+# fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch.asc
+# gpg --verify ping.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 186f495d4be1 stable/13-n253187
+releng/13.1/ 66c7b53d9516 releng/13.1-n250172
+stable/12/ r372774
+releng/12.4/ r372778
+releng/12.3/ r372775
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23093>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:15.ping.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlvgACgkQ05eS9J6n
+5cIQGw//ZiF50YbtOc7oYgVcJTGlBEAbKWV6OteTDpXWb/OlwkznGxwzrG0DPvWN
+wHyItOPSAmdxqC4xZUsZh9HNxlim80r5TR1y4BE22Lsg2vL5Ir0h3tcqOKKpHYLS
+KzNgishF1+J56JeU3TpTjOe5QbXK3EZiw092lH8uSXTp3PqcHxBfFuW9Cjc1Rq/u
+ewjHWI7zNCMOpGh3w/v14ZxGl3aFusL1jmrcyi5kZub2Pr0N3bUKgS3/3wXfWF6o
+hcFhl1ChmAwpT/1313LNE7SHPl4HCC5XK4r3w+wniLjOJUhnioOBjay29QLt5O53
+0rYaINNvo7ooBSpcPO9ixta+7dqah+uuW3vnFewuahqNCaAGLhMDSPqyZW7KfYgU
+F7TIDoBRHPHASFb3FOiAAcCNMCvmGl7vFyVoWe0xJ1ion2jqO83R8XOGgnHsPL/l
+cTYTPdECPMIDMvmfIH9UAbNCzKEYdNjWsXUjFJKkxCBtwUcBRsn1TEu24zU2j9mS
+hRlY1DAYVy8raYUnQp/f6Llroim5DKyUYpJpeB3j//Fk6KACRnZKsqsSIj9U3OYf
+KD6zfJ35RrolPHePMPmy6vGPDYFocDo+YQSm1eauwfSeDGnsjBmIdzxahkgEav4Z
+5agsPd2naEntMiJkGGgeuYCifEvkCttJbuTn2s+7VkuTap0uTuA=
+=rown
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-22:28/heimdal.patch b/website/static/security/patches/EN-22:28/heimdal.patch
new file mode 100644
index 0000000000..9480536044
--- /dev/null
+++ b/website/static/security/patches/EN-22:28/heimdal.patch
@@ -0,0 +1,16 @@
+--- crypto/heimdal/lib/asn1/gen_free.c.orig
++++ crypto/heimdal/lib/asn1/gen_free.c
+@@ -61,13 +61,6 @@
+ case TNull:
+ case TGeneralizedTime:
+ case TUTCTime:
+- /*
+- * This doesn't do much, but it leaves zeros where garbage might
+- * otherwise have been found. Gets us closer to having the equivalent
+- * of a memset()-to-zero data structure after calling the free
+- * functions.
+- */
+- fprintf(codefile, "*%s = 0;\n", name);
+ break;
+ case TBitString:
+ if (ASN1_TAILQ_EMPTY(t->members))
diff --git a/website/static/security/patches/EN-22:28/heimdal.patch.asc b/website/static/security/patches/EN-22:28/heimdal.patch.asc
new file mode 100644
index 0000000000..8a6745962a
--- /dev/null
+++ b/website/static/security/patches/EN-22:28/heimdal.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlvgACgkQ05eS9J6n
+5cJJvQ//cupNZsqRq3PRK8cxeHVHLGLFxRhpA8nhQKjCb3Nkk0FccuCZ6exTjktS
+ADbFwdmrDCDbnkBWsGT4p+zH0p13QFCvyKiVriC3KeYA9lJmjupyslM8lVsFjzw0
+9BmoAMQ6Wvh5Rm3MyElRBCBAZXxZP3+eqP+m4zDLiPxZ5jsV/DhZ8IMeaNyXl6tI
+dPtED9mom3Png9oqZ9hpl3RqqExpdbmlqd1pXifftGj28t9x3IKsMhplPKuW2QZm
+xd+CygChbLin2IaM+PkhhX3umqi5WVH68EToWR/iP/mfHPRmb9PUKVWxiTY8rkz/
+ZCG9VJjpQGE/tFdbG/eIS5ZgNM8cNLDiclDs2Yv1896yTFGv/Eirc031VslOYn17
+3HMDJpnNTktaKRgAyjJ1Nq31Ct2KMcrnq97rBKOq5S9Hg1d50FVfXIaJMjhK6AT5
++ydICdjJkTI+9WOvUtYkwE8g4cX3kZqGLnPaYysAThhgUg5bvlZHZkXJe2ujjeth
+uIPXXU6b5C/J3zDET1LwxFgWEA6n24PNEhi+pL6yYP6nf9BBHr2BUa1jZCezZOeX
+0gtZ2uhE7PxgganAtt5TM19RwYee2gULz6feBX4lLmb4ECPatVZDbNASo8IKw8cO
+JxeOiNCjRRNq1I5oSy1rMQSx5B/d86+BaaN4ZyHJTdf2iAd1Trg=
+=xBq4
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-22:15/ping.patch b/website/static/security/patches/SA-22:15/ping.patch
new file mode 100644
index 0000000000..a9de7f3481
--- /dev/null
+++ b/website/static/security/patches/SA-22:15/ping.patch
@@ -0,0 +1,114 @@
+--- sbin/ping/ping.c.orig
++++ sbin/ping/ping.c
+@@ -963,6 +963,9 @@
+ warn("recvmsg");
+ continue;
+ }
++ /* If we have a 0 byte read from recvfrom continue */
++ if (cc == 0)
++ continue;
+ #ifdef SO_TIMESTAMP
+ if (cmsg != NULL &&
+ cmsg->cmsg_level == SOL_SOCKET &&
+@@ -1144,8 +1147,10 @@
+ struct icmp icp;
+ struct ip ip;
+ const u_char *icmp_data_raw;
++ ssize_t icmp_data_raw_len;
+ double triptime;
+- int dupflag, hlen, i, j, recv_len;
++ int dupflag, i, j, recv_len;
++ uint8_t hlen;
+ uint16_t seq;
+ static int old_rrlen;
+ static char old_rr[MAX_IPOPTLEN];
+@@ -1155,15 +1160,27 @@
+ const u_char *oicmp_raw;
+
+ /*
+- * Get size of IP header of the received packet. The
+- * information is contained in the lower four bits of the
+- * first byte.
++ * Get size of IP header of the received packet.
++ * The header length is contained in the lower four bits of the first
++ * byte and represents the number of 4 byte octets the header takes up.
++ *
++ * The IHL minimum value is 5 (20 bytes) and its maximum value is 15
++ * (60 bytes).
+ */
+ memcpy(&l, buf, sizeof(l));
+ hlen = (l & 0x0f) << 2;
+- memcpy(&ip, buf, hlen);
+
+- /* Check the IP header */
++ /* Reject IP packets with a short header */
++ if (hlen < sizeof(struct ip)) {
++ if (options & F_VERBOSE)
++ warn("IHL too short (%d bytes) from %s", hlen,
++ inet_ntoa(from->sin_addr));
++ return;
++ }
++
++ memcpy(&ip, buf, sizeof(struct ip));
++
++ /* Check packet has enough data to carry a valid ICMP header */
+ recv_len = cc;
+ if (cc < hlen + ICMP_MINLEN) {
+ if (options & F_VERBOSE)
+@@ -1175,6 +1192,7 @@
+ #ifndef icmp_data
+ icmp_data_raw = buf + hlen + offsetof(struct icmp, icmp_ip);
+ #else
++ icmp_data_raw_len = cc - (hlen + offsetof(struct icmp, icmp_data));
+ icmp_data_raw = buf + hlen + offsetof(struct icmp, icmp_data);
+ #endif
+
+@@ -1304,12 +1322,45 @@
+ * as root to avoid leaking information not normally
+ * available to those not running as root.
+ */
++
++ /*
++ * If we don't have enough bytes for a quoted IP header and an
++ * ICMP header then stop.
++ */
++ if (icmp_data_raw_len <
++ (ssize_t)(sizeof(struct ip) + sizeof(struct icmp))) {
++ if (options & F_VERBOSE)
++ warnx("quoted data too short (%zd bytes) from %s",
++ icmp_data_raw_len, inet_ntoa(from->sin_addr));
++ return;
++ }
++
+ memcpy(&oip_header_len, icmp_data_raw, sizeof(oip_header_len));
+ oip_header_len = (oip_header_len & 0x0f) << 2;
+- memcpy(&oip, icmp_data_raw, oip_header_len);
++
++ /* Reject IP packets with a short header */
++ if (oip_header_len < sizeof(struct ip)) {
++ if (options & F_VERBOSE)
++ warnx("inner IHL too short (%d bytes) from %s",
++ oip_header_len, inet_ntoa(from->sin_addr));
++ return;
++ }
++
++ /*
++ * Check against the actual IHL length, to protect against
++ * quoated packets carrying IP options.
++ */
++ if (icmp_data_raw_len <
++ (ssize_t)(oip_header_len + sizeof(struct icmp))) {
++ if (options & F_VERBOSE)
++ warnx("inner packet too short (%zd bytes) from %s",
++ icmp_data_raw_len, inet_ntoa(from->sin_addr));
++ return;
++ }
++
++ memcpy(&oip, icmp_data_raw, sizeof(struct ip));
+ oicmp_raw = icmp_data_raw + oip_header_len;
+- memcpy(&oicmp, oicmp_raw, offsetof(struct icmp, icmp_id) +
+- sizeof(oicmp.icmp_id));
++ memcpy(&oicmp, oicmp_raw, sizeof(struct icmp));
+
+ if (((options & F_VERBOSE) && uid == 0) ||
+ (!(options & F_QUIET2) &&
diff --git a/website/static/security/patches/SA-22:15/ping.patch.asc b/website/static/security/patches/SA-22:15/ping.patch.asc
new file mode 100644
index 0000000000..b83c424912
--- /dev/null
+++ b/website/static/security/patches/SA-22:15/ping.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlvgACgkQ05eS9J6n
+5cKnpQ//YlHq4Bwq2PnC64jlhvfkeu7CrC9Y/+XQwen/X5QLr3+RCVeWZKcc+I9r
+ILhIm/B3fw96ruwSHuvp9fP5NUn0RwA7cEku2lWvWErYiadncvDwir2/ShOuRwzw
+0N4zGLx8mZoRJX2cQLSUBeu901pnxbuG1LucfL604j5+wngnQjvuzcXu1ET4N/rZ
+7mif1ruu1SVzarcxKNTGGedbYEqu1x5c5E6wSA7I9KLt4bkFQLrNNfNm3rf7/f1X
+UBe0Ii+kX7MigSu5kLd1cuBEEve+x1PqJ+ccHjIpNIKyrrBttqOtvowmhZCib20D
+kWdna2NUl6O2JmGzQZ2skHbnDeH/f99sCgjmAZodG562r3psQF3PFget9vGIFDNu
+gXlcaT96HwOIzRx36EhZjjV0FZxwvt5uJYokRM6DoYdlsyB2r/vh17ZPhdQJ1N4N
+TZgxp+26bwW4fRHsIosL8/SiDdFtZB5csPDxHz4tEFs830zyCWBSITGfmMcUK6fH
+hpWASCz5Mlez8N2JGLBdfpMFtjaqOlmfzXxd8RkIGja320mizMlEbM5I2B3SLz6L
+B4eeZZmbJGr70LhcZ9wBk3YKPYzpsmwuskgFGaXuKS9iQz/Bc5yJfzyjhBhDKacv
+nmytF6yrwKp6ftvU8yilBbN+/ILvfM3Xqmx2bapSt3D01XR42f8=
+=D5F/
+-----END PGP SIGNATURE-----