git: 06731fae1b - main - Add EN-21:09, EN-21:10, and SA-21:08 through SA-21:10. Approved by: so
Gordon Tetlow
gordon at FreeBSD.org
Tue Apr 6 20:13:55 UTC 2021
The branch main has been updated by gordon (src committer):
URL: https://cgit.FreeBSD.org/doc/commit/?id=06731fae1bedfd833b102bbb3c81ba6f59b93168
commit 06731fae1bedfd833b102bbb3c81ba6f59b93168
Author: Gordon Tetlow <gordon at FreeBSD.org>
AuthorDate: 2021-04-06 20:12:54 +0000
Commit: Gordon Tetlow <gordon at FreeBSD.org>
CommitDate: 2021-04-06 20:12:54 +0000
Add EN-21:09, EN-21:10, and SA-21:08 through SA-21:10.
Approved by: so
---
website/data/security/advisories.toml | 12 ++
website/data/security/errata.toml | 8 +
.../security/advisories/FreeBSD-EN-21:09.pf.asc | 119 +++++++++++++++
.../security/advisories/FreeBSD-EN-21:10.lldb.asc | 119 +++++++++++++++
.../security/advisories/FreeBSD-SA-21:08.vm.asc | 166 ++++++++++++++++++++
.../advisories/FreeBSD-SA-21:09.accept_filter.asc | 168 ++++++++++++++++++++
.../advisories/FreeBSD-SA-21:10.jail_mount.asc | 170 +++++++++++++++++++++
website/static/security/patches/EN-21:09/pf.patch | 22 +++
.../static/security/patches/EN-21:09/pf.patch.asc | 16 ++
.../static/security/patches/EN-21:10/lldb.patch | 54 +++++++
.../security/patches/EN-21:10/lldb.patch.asc | 16 ++
.../security/patches/SA-21:08/vm_fault.11.patch | 37 +++++
.../patches/SA-21:08/vm_fault.11.patch.asc | 16 ++
.../security/patches/SA-21:08/vm_fault.12.patch | 37 +++++
.../patches/SA-21:08/vm_fault.12.patch.asc | 16 ++
.../security/patches/SA-21:08/vm_fault.13.patch | 47 ++++++
.../patches/SA-21:08/vm_fault.13.patch.asc | 16 ++
.../security/patches/SA-21:09/accept_filter.patch | 26 ++++
.../patches/SA-21:09/accept_filter.patch.asc | 16 ++
.../security/patches/SA-21:10/jail_mount.11.patch | 15 ++
.../patches/SA-21:10/jail_mount.11.patch.asc | 16 ++
.../security/patches/SA-21:10/jail_mount.12.patch | 17 +++
.../patches/SA-21:10/jail_mount.12.patch.asc | 16 ++
.../security/patches/SA-21:10/jail_mount.13.patch | 17 +++
.../patches/SA-21:10/jail_mount.13.patch.asc | 16 ++
25 files changed, 1178 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 08e22e3be7..b3a4c14939 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,18 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-21:10.jail_mount"
+date = "2021-04-06"
+
+[[advisories]]
+name = "FreeBSD-SA-21:09.accept_filter"
+date = "2021-04-06"
+
+[[advisories]]
+name = "FreeBSD-SA-21:08.vm"
+date = "2021-04-06"
+
[[advisories]]
name = "FreeBSD-SA-21:07.openssl"
date = "2021-03-25"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index d6a17c8a9b..bf235e7212 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,14 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-21:10.lldb"
+date = "2021-04-06"
+
+[[notices]]
+name = "FreeBSD-EN-21:09.pf"
+date = "2021-04-06"
+
[[notices]]
name = "FreeBSD-EN-21:08.freebsd-update"
date = "2021-02-24"
diff --git a/website/static/security/advisories/FreeBSD-EN-21:09.pf.asc b/website/static/security/advisories/FreeBSD-EN-21:09.pf.asc
new file mode 100644
index 0000000000..16e3bb7d68
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:09.pf.asc
@@ -0,0 +1,119 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:09.pf Errata Notice
+ The FreeBSD Project
+
+Topic: net.pf.request_maxcount not settable from loader.conf(5)
+
+Category: core
+Module: pf
+Announced: 2021-04-06
+Affects: FreeBSD 12.2
+Corrected: 2020-12-15 08:29:45 UTC (stable/12, 12.2-STABLE)
+ 2021-04-06 19:21:24 UTC (releng/12.2, 12.2-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+pf(4) is an Internet Protocol packet filter originally written for OpenBSD.
+
+II. Problem Description
+
+The net.pf.request_maxcount sysctl provides an upper bound on the amount of
+memory used by pf(4) to store various types of state. Prior to FreeBSD 12.2
+this sysctl was read-only and could only be adjusted via loader.conf(5). In
+FreeBSD 12.2, the sysctl was made writeable, but lost the ability to be
+adjusted from loader.conf(5).
+
+III. Impact
+
+pf(4) may fail to load filtering rules if they cause the default
+request_maxcount bound to be exceeded. Users that relied on loader.conf to
+increase the request_maxcount value could see their rules fail to load.
+
+IV. Workaround
+
+The value of request_maxcount may be set via sysctl.conf(5).
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:09/pf.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:09/pf.patch.asc
+# gpg --verify pf.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r368656
+releng/12.2/ r369554
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:09.pf.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswB8ACgkQ05eS9J6n
+5cLYFw//fkTpjSXiflCHENinkk3u72W8Pxw4vvhDl9DBSHUdYi+fzB6t70xxUcnH
+wsjJcyMe1nqU7BVYFYo+aIkDL2yeW+PlJVrVfLcuWn8OwX7R0WbCM13EF75WZmlM
+Ty6YWPZkqYAWc0lbBYWiEtW+f6m5FTgdlvsXnTBENiz3iX2ddNkFK+qcEY9sasiJ
+HjsIoM1bs41YAgiOByyuh1xqMr+ieB4QQQ3QAbBmkqqPqBu1Nk0Xcpmos0sBf6Sn
+dSPDBMcKfJ4VelSGBnn98bXjjyLeiwbfBhNceCbI8eIgulTWboMJHg9XoUWMwWhJ
+314OOq0D0CssWj9136dKLxQc+gWyu5xfszenfbA1k9rrFY5uKOBVUMgK8b9meWfH
+WX1CscDTYe4wCp/YpT/oU31PJfm0foFNWnOel7hDrlNwe0t+ElVX56xyy19BLQ/9
+tgZ1CIZv6IihMxxBDnayU/SUVB5bJxfwHXZb845xjKB+owNYaw5pwHhEgLYWklAL
+A6a6Lja5dzVn1KsrHfUb11KEzWvUvtqp0y6vaZv6UTSLI9FfaSL/xA6uy3Ft/r/E
+OvD0qL/ShKmA/jvLG6vxJe0XQjU9JMI/FViPrs4YLCpFymRXthokoXoD1FyK6Hgn
+aMBdWTVEGHuQFG37OZIxr7AvefR0d3MXPbReXVKnn367VdbZ1lw=
+=7QHR
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:10.lldb.asc b/website/static/security/advisories/FreeBSD-EN-21:10.lldb.asc
new file mode 100644
index 0000000000..ac25f41455
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:10.lldb.asc
@@ -0,0 +1,119 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:10.lldb Errata Notice
+ The FreeBSD Project
+
+Topic: lldb abort on print command
+
+Category: contrib
+Module: lldb
+Announced: 2021-04-06
+Affects: FreeBSD 12.2
+Corrected: 2020-10-31 18:42:03 UTC (stable/12, 12.2-STABLE)
+ 2021-04-06 19:21:27 UTC (releng/12.2, 12.2-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+lldb is the debugger from the LLVM project. Version 10.0.1 is included
+in FreeBSD 12.2.
+
+II. Problem Description
+
+Attempts to use lldb's `print` command (`p` alias) resulted in lldb
+aborting.
+
+III. Impact
+
+Some common debugger functionality cannot be used.
+
+IV. Workaround
+
+No general workaround is available. Information provided by certain print
+expressions may be available by using other commands, such as
+`frame variable` (`fr v` alias).
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:10/lldb.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:10/lldb.patch.asc
+# gpg --verify lldb.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r367228
+releng/12.2/ r369555
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248745>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:10.lldb.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswDUACgkQ05eS9J6n
+5cL7iRAAnlsryVy3aJFQIMghO7+rOwwpFnxlDponVvzIkeNH2x3c62V81eAhUIvj
+q6TvEp2dNQdaTDoN6ytPoL+ek4sBh8WdVt0R8sWnUbEDf1BhvGQ3P9eT4q8Thx+Z
+wB3L40pLQZFapINmpEIp7xwcWJv8xiKxmY2PDOcNkju5GWD4OatoMuCx5iMNwQ+g
+7aYUL1gUhvcudSMghJ+jH6Pre2Yq+y+ziAhmGB0QOREOEoguXvJwgdO+clZHdFl2
+E1Yudhfr0v6afQFL9RzX+Ck6ft9KBPd9rzZwc2bTHfi08zmAy63FN3Bxvx/8O/EJ
+9NXRJHv0zuVSOZePKJ6qv1ap5f7RLzLN7ztaUQMCxkqCoRsdV3UYsUCkE8NH/ZOT
+NZ7zZCmL7zHpn17QX7tBqqYeAHtFJLAlXaBiSIxYOaKM87GMMmvpb+06f9frwtuu
+lOxzY0l7H+iWsSakdsoUrtL+wNvOM3wFafHtDSXDyHbSUKWiWa3yubzl8szIgCrX
+GhW84r3MdaVSm3EQQS2qQux+9HTLcx5Lh0+BVmeA36VBwNeG+wc8t5eZYc4xSlJh
+jIv2CRPm97e5796O5gGtjqyiidSL2lfw9tHE3H/1gqn/2DLNFbM+DcwgI20Wfz4u
+hdhN//GsIDiOA9BwClgIW6Vbs/V5B9uN8E/RH4lFggmJAkkPWGU=
+=boNk
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-21:08.vm.asc b/website/static/security/advisories/FreeBSD-SA-21:08.vm.asc
new file mode 100644
index 0000000000..d9513f4eee
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-21:08.vm.asc
@@ -0,0 +1,166 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:08.vm Security Advisory
+ The FreeBSD Project
+
+Topic: Memory disclosure by stale virtual memory mapping
+
+Category: core
+Module: vm
+Announced: 2021-04-06
+Credits: Ryan Libby, Dell Inc.
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-04-06 18:50:46 UTC (stable/13, 13.0-STABLE)
+ 2021-04-06 19:18:49 UTC (releng/13.0, 13.0-RC5-p1)
+ 2021-04-06 19:20:46 UTC (stable/12, 12.2-STABLE)
+ 2021-04-06 19:21:30 UTC (releng/12.2, 12.2-RELEASE-p6)
+ 2021-04-06 19:22:31 UTC (stable/11, 11.4-STABLE)
+ 2021-04-06 19:22:56 UTC (releng/11.4, 11.4-RELEASE-p9)
+CVE Name: CVE-2021-29626
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Memory mappings shared between processes are a feature of the FreeBSD
+virtual memory system. They may be established by unprivileged
+processes with the mmap(2), fork(2), and other system calls.
+
+II. Problem Description
+
+A particular case of memory sharing is mishandled in the virtual memory
+system. It is possible and legal to establish a relationship where
+multiple descendant processes share a mapping which shadows memory of an
+ancestor process. In this scenario, when one process modifies memory
+through such a mapping, the copy-on-write logic fails to invalidate
+other mappings of the source page. These stale mappings may remain even
+after the mapped pages have been reused for another purpose.
+
+III. Impact
+
+An unprivileged local user process can maintain a mapping of a page
+after it is freed, allowing that process to read private data belonging
+to other processes or the kernel.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.0]
+# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.13.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.13.patch.asc
+# gpg --verify vm_fault.13.patch.asc
+
+[FreeBSD 12.2]
+# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.12.patch.asc
+# gpg --verify vm_fault.12.patch.asc
+
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.11.patch.asc
+# gpg --verify vm_fault.11.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 2e08308d62f3 stable/13-n245117
+releng/13.0/ 724bc23da1a9 releng/13.0-n244728
+stable/12/ r369551
+releng/12.2/ r369556
+stable/11/ r369559
+releng/11.4/ r369561
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing HHHHHH with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=HHHHHH>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29626>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:08.vm.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveMACgkQ05eS9J6n
+5cJ0Xw/+JFP6UKPMxcYwmAmIoDS5YAsUzuDVQNooZzOQiltyVqPrHD3Dh/32+Tm3
+W6yeITNcnUbVhFBPli3x0pHldCCcj1JQNtzUYcS/DKNvD2LxjB4bhiiE0YHImaP9
+JWOMoc5rNYpOl4iKK5DZkQAxZsHu1zFSVt+0O/aL70bDCYupsslWBbRRkxgkeShW
+wGFhSMhlJ1QnnygzsICbyK5GP4XYqfAWZ5dviznNcZLrOifCLG6HNxixfOG/vf33
+yZzwA7RSNpOyULC1AYmUqiEZWgABL63hOIiraD0sASteBhMY/DCjq/QLZKsaONsp
+FYemSTnW1hs1MVfTm4ecwgZJEJf8bV7cQXrxA3bLJmRoN9CcTGHDQCjFKHvMVXSe
+qU/n+CICO6Ly8nTmL0xYjpJLEQaQfC/98hXk2otpgIia8r5Gn1MOwooTdN+KWlfA
+LHzuP0Wf5NIjo1QkbbBRUSfCjV+dbGzRxgCYTGj1dN+XbR0uxeVtWeKXU3WaDIYI
+6sT3L41yUBvEce7h/449RunNjRb5nuWczh3YTIzqDA3dEStLPKxlzL790M8TId6e
+XE+YclkxSTNMuxvCEw/vDJB4bZ2eOQ6noSzfrUqxjGnbtcuYP/RJGc3XrVZpiXbY
+u+OuE4Owve9e/sNCRqZeEQ2CHnntCdji0sk/CAlbkHcdHYPbunI=
+=rC4V
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-21:09.accept_filter.asc b/website/static/security/advisories/FreeBSD-SA-21:09.accept_filter.asc
new file mode 100644
index 0000000000..0e58b59b15
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-21:09.accept_filter.asc
@@ -0,0 +1,168 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:09.accept_filter Security Advisory
+ The FreeBSD Project
+
+Topic: double free in accept_filter(9) socket configuration interface
+
+Category: core
+Module: accept_filter
+Announced: 2021-04-06
+Credits: Alexey Kulaev
+Affects: FreeBSD 12.2 and later.
+Corrected: 2021-03-28 00:24:15 UTC (stable/13, 13.0-STABLE)
+ 2021-03-28 15:03:37 UTC (releng/13.0, 13.0-RC4)
+ 2021-03-28 00:26:49 UTC (stable/12, 12.2-STABLE)
+ 2021-04-06 19:21:21 UTC (releng/12.2, 12.2-RELEASE-p6)
+CVE Name: CVE-2021-29627
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD features an accept_filter(9) mechanism which allows an
+application to request that the kernel pre-process incoming connections.
+For example, the accf_http(9) accept filter prevents accept(2) from
+returning until a full HTTP request has been buffered.
+
+No accept filters are enabled by default. A system administrator must
+either compile the FreeBSD kernel with a particular accept filter option
+(such as ACCEPT_FILTER_HTTP) or load the filter using kldload(8) in
+order to utilize accept filters.
+
+II. Problem Description
+
+An unprivileged process can configure an accept filter on a listening
+socket. This is done using the setsockopt(2) system call. The process
+supplies the name of the accept filter which is to be attached to the
+socket, as well as a string containing filter-specific information.
+
+If the filter implements the accf_create callback, the socket option
+handler attempts to preserve the process-supplied argument string. A
+bug in the socket option handler caused this string to be freed
+prematurely, leaving a dangling pointer. Additional operations on the
+socket can turn this into a double free or a use-after-free.
+
+III. Impact
+
+The bug may be exploited to trigger local privilege escalation or kernel
+memory disclosure.
+
+IV. Workaround
+
+Systems not using accept filters, or using only the accept filters
+included with the FreeBSD base system (accf_data(9), accf_dns(9), and
+accf_http(9)) are unaffected. Note that no accept filters are loaded
+in the kernel by default.
+
+Systems using a third-party accept filter module are affected if the
+module defines an accf_create callback. In this case, the only
+workaround is to ensure that the module is not loaded into the kernel.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-21:09/accept_filter.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:09/accept_filter.patch.asc
+# gpg --verify accept_filter.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ c7d10e7ec872 stable/13-n245050
+releng/13.0/ af6611e5adc6 releng/13.0-n244711
+stable/12/ r369525
+releng/12.2/ r369553
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing HHHHHH with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=HHHHHH>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on vulnerability>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29627>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:09.accept_filter.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveMACgkQ05eS9J6n
+5cIfkA//bD0wm/rhdTUkyCeKhDCocFC/elfC+g7FsiG/eNJFh0mAiuTrC9Ja9+TN
+QU4xjZPx0kN6PxAgEzCqH2NgSL+MwW60ApxlH/kVhcFU/tOrUxmuFg8u9bk6/gU3
+xRcpHzT5M4iFzrdyimbc9UvKHZet1Hh7CkIQwQZWvdrJYL3p+lODe3DpS9OUXcaJ
+S6eHGzMlTKQsV5m3vGEefRP1ByDNOT4w3q+w6s0K381ck8Y+k1SLQLLDZJuNR752
+ixZdUg/oE82PIosoH8SXP8bHklRcHFsa6DmTLYGxxpKh9l++CyiytiQThUIlClfY
+2KOKh1Y4ND5FU001g98OdikgfRJhf9mQIk4ytNyBjey3c/aBFtcJHzydrV5uPg4u
+SPvk59SEiRVZswQkR+kpXD8Maa7jkRTe6qbBhQ5+CiXEO/FWF108OVULn0saDycp
+NtGNa6Htichm+RWPeHnbCo5OwSW0wDHKUB2yP/EcCOkJtBPOBpL8r3iJSnk5ZsrH
+mTQeQzSrbzeD/pMOiEor6AIKjJoII2rWIT6v2RaofY5vb30kQl56/m7nrN1bm6n1
+aatAsvJvFIaE6LVKkCpIkKaHEEmgOpf5/p4n2xia8i6xUc1BN14nq0xEaqGskesS
+bAe1TJZJnc6hHvdJVhuLxdT1CSStG56BrkJd2RtCAenwatJaRzQ=
+=UfpF
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-21:10.jail_mount.asc b/website/static/security/advisories/FreeBSD-SA-21:10.jail_mount.asc
new file mode 100644
index 0000000000..dd5b048a37
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-21:10.jail_mount.asc
@@ -0,0 +1,170 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:10.jail_mount Security Advisory
+ The FreeBSD Project
+
+Topic: jail escape possible by mounting over jail root
+
+Category: core
+Module: jail
+Announced: 2021-04-06
+Credits: Mateusz Guzik
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-04-06 18:50:48 UTC (stable/13, 13.0-STABLE)
+ 2021-04-06 19:18:59 UTC (releng/13.0, 13.0-RC5-p1)
+ 2021-04-06 19:20:50 UTC (stable/12, 12.2-STABLE)
+ 2021-04-06 19:21:33 UTC (releng/12.2, 12.2-RELEASE-p6)
+ 2021-04-06 19:22:31 UTC (stable/11, 11.4-STABLE)
+ 2021-04-06 19:22:59 UTC (releng/11.4, 11.4-RELEASE-p9)
+CVE Name: CVE-2020-25584
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The jail(2) system call allows a system administrator to lock a process
+and all of its descendants inside an environment with a very limited
+ability to affect the system outside that environment, even for
+processes with superuser privileges. It is an extension of, but
+far more powerful than, the traditional UNIX chroot(2) system call.
+
+II. Problem Description
+
+Due to a race condition between lookup of ".." and remounting a filesystem,
+a process running inside a jail might access filesystem hierarchy outside
+of jail.
+
+III. Impact
+
+A process with superuser privileges running inside a jail configured
+with the allow.mount permission (not enabled by default) could change the root
+directory outside of the jail, and thus gain full read and write access
+to all files and directories in the system.
+
+IV. Workaround
+
+As a workaround, disable allow.mount permission for all jails with untrusted
+root users; see jail(1) and jail.conf(5) manual pages for details.
+
+Note that this permission is not enabled by default.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.0]
+# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.13.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.13.patch.asc
+# gpg --verify jail_mount.13.patch.asc
+
+[FreeBSD 12.2]
+# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.12.patch.asc
+# gpg --verify jail_mount.12.patch.asc
+
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.11.patch.asc
+# gpg --verify jail_mount.11.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 3ae17faa3704 stable/13-n245118
+releng/13.0/ 4710439ec594 releng/13.0-n244729
+stable/12/ r369552
+releng/12.2/ r369557
+stable/11/ r369560
+releng/11.4/ r369562
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing HHHHHH with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=HHHHHH>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on vulnerability>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25584>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:10.jail_mount.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveQACgkQ05eS9J6n
+5cIujRAAoTOIB1bMhDN3w382izu+g4L4HATqhOyKlf3Ezwlnmckt4s+ERar7EWND
+4MayXSogCYwYwb6gsfBsqEdAJwhID1zkBDmC9LaYKehOLMMdPOCbpemJ3xT0540m
+S4MJ+vPBT2NZ8NsUGNNpIF/mZTgwDai4WSBCr/0OIyNDd+nzStOv0d8h3aNGNweW
+p/pvETnf/FtR9kACZ2HuiHtOx2IvQv8+n4gjefl440fz8czb3nftdGHRXLc0Kkcy
+T/l3Y0SgBvXmlhtmhGZmF787Bw/5No+fbKZ4AuTMms42OWz8y02ZjFCvwXEu7/tC
+f9eeFUzpR+rjNr0MMFEm1GBPNgbdF4v/IhnUA4gWrhjp1sh+4SjHoFhS1tfdY6gf
+W76eyT0B8oDOLK4Jo76iTjvN1sZ0wctOaq7yk+7rGbhSUFUohQmtsMbvGOfHIVxl
+DlJ9faccWJLOjbeUAVhVMbowT3/QKqnbuRpkq6U7YIcs9P4cg8RUrokCOiGd5pBz
+PD5zpNcRCe69c+d39XDGDiBjPm4mQK1VEOr90gcAlE5yioxUW6qlHkFrp/Mje6dX
+25Sb1q1zwjn3rM1moIeRXmx+ioLAT9ZWpYs5IvKsuRw4VmppIjA6TWm8ECbjKQKG
+yPuUgUyxoIoEJgQNmJaM2Rk/fKijyVjEG22jlDNwCxASE4vJ7Xw=
+=g2On
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:09/pf.patch b/website/static/security/patches/EN-21:09/pf.patch
new file mode 100644
index 0000000000..7407c4494a
--- /dev/null
+++ b/website/static/security/patches/EN-21:09/pf.patch
@@ -0,0 +1,22 @@
+ MFC r368588:
+
+ pf: Allow net.pf.request_maxcount to be set from loader.conf
+
+ Mark request_maxcount as RWTUN so we can set it both at runtime and from
+ loader.conf. This avoids users getting caught out by the change from tunable to
+ run time configuration.
+
+ Suggested by: Franco Fichtner
+
+ (cherry picked from commit 08d13750ebdae45bcdb73d52665b823e9ba93db1)
+--- sys/netpfil/pf/pf.c.orig
++++ sys/netpfil/pf/pf.c
+@@ -382,7 +382,7 @@
+ &pf_hashsize, 0, "Size of pf(4) states hashtable");
+ SYSCTL_ULONG(_net_pf, OID_AUTO, source_nodes_hashsize, CTLFLAG_RDTUN,
+ &pf_srchashsize, 0, "Size of pf(4) source nodes hashtable");
+-SYSCTL_ULONG(_net_pf, OID_AUTO, request_maxcount, CTLFLAG_RW,
++SYSCTL_ULONG(_net_pf, OID_AUTO, request_maxcount, CTLFLAG_RWTUN,
+ &pf_ioctl_maxcount, 0, "Maximum number of tables, addresses, ... in a single ioctl() call");
+
+ VNET_DEFINE(void *, pf_swi_cookie);
diff --git a/website/static/security/patches/EN-21:09/pf.patch.asc b/website/static/security/patches/EN-21:09/pf.patch.asc
new file mode 100644
index 0000000000..1b708cc8a3
--- /dev/null
+++ b/website/static/security/patches/EN-21:09/pf.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswCIACgkQ05eS9J6n
+5cL9LA/+JMfWVH4WcjeN+0mci/eV/7arH0CQWNHgBL5h6Jqgqbj+1rzIZoMxuzGM
+bgrikYYRsjvGcikGOuToWx2sxxCPuCIGN2PQV3Z+rmQYUp+lHx33SZiJ/gwMLv43
+7aY3VB8Zpqar/MJbWHlJM9tRcrwEZIDaJZqUqsku57RWvAj5uPd7TMW3Ount0Dza
+wbDy+qgO9MJZsP9IE2ePi0M7bHtqOkLhK4KcXoYmzNkZ5n3W+edUH6AKoLBddoCA
+N6FC69MGJWAWY59bMGRLfexMB8LCal22orRe+zABWVelNM3Y36ymABaA1i/H4lYc
+XbB9lwkkzttXyO10UBOq2jNMjZ0VG5MA59TjfyMtszaEFHsp3PEH7gEO1nmCO+hi
+fiol4UGpcHUyufIwBQE3f8fj8iFWNDu7vHGMCmNoNjUP98TskhEQ6ZzW+fIrgIRh
+oq8cFcGE5uHXACvlWpQ+PZrqGC/D/4t9OK0mOCYkekDJvG93ejFxz8Bck0zk2Tc4
+ICoduClnotLtTCP2wtkszXmrH0JYGvSrN0sxSMtEPY+6wnuEtrJnN6e3MKA/f2GP
+KsAO7poiz9QEieimD5+Tw4WfCGuOTliRZNvrWO7B6GUF9cRP1Ttr2AIx7vdjhdVt
+uUOd2R7FgFmVsCzLIhmyFh4aTZgwf3bXr91tHa5iD4wtw0h9Z/I=
+=ESG4
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:10/lldb.patch b/website/static/security/patches/EN-21:10/lldb.patch
new file mode 100644
index 0000000000..38f58bfa57
--- /dev/null
+++ b/website/static/security/patches/EN-21:10/lldb.patch
@@ -0,0 +1,54 @@
+--- contrib/llvm-project/lldb/source/Target/Target.cpp.orig
++++ contrib/llvm-project/lldb/source/Target/Target.cpp
+@@ -2412,21 +2412,13 @@
+
+ llvm::Expected<lldb_private::Address> Target::GetEntryPointAddress() {
+ Module *exe_module = GetExecutableModulePointer();
+- llvm::Error error = llvm::Error::success();
+- assert(!error); // Check the success value when assertions are enabled.
+
+- if (!exe_module || !exe_module->GetObjectFile()) {
+- error = llvm::make_error<llvm::StringError>("No primary executable found",
+- llvm::inconvertibleErrorCode());
+- } else {
++ // Try to find the entry point address in the primary executable.
++ const bool has_primary_executable = exe_module && exe_module->GetObjectFile();
++ if (has_primary_executable) {
+ Address entry_addr = exe_module->GetObjectFile()->GetEntryPointAddress();
+ if (entry_addr.IsValid())
+ return entry_addr;
+-
+- error = llvm::make_error<llvm::StringError>(
+- "Could not find entry point address for executable module \"" +
+- exe_module->GetFileSpec().GetFilename().GetStringRef() + "\"",
+- llvm::inconvertibleErrorCode());
+ }
+
+ const ModuleList &modules = GetImages();
+@@ -2437,14 +2429,21 @@
+ continue;
+
+ Address entry_addr = module_sp->GetObjectFile()->GetEntryPointAddress();
+- if (entry_addr.IsValid()) {
+- // Discard the error.
+- llvm::consumeError(std::move(error));
++ if (entry_addr.IsValid())
+ return entry_addr;
+- }
+ }
+
+- return std::move(error);
++ // We haven't found the entry point address. Return an appropriate error.
++ if (!has_primary_executable)
++ return llvm::make_error<llvm::StringError>(
++ "No primary executable found and could not find entry point address in "
++ "any executable module",
++ llvm::inconvertibleErrorCode());
++
++ return llvm::make_error<llvm::StringError>(
++ "Could not find entry point address for primary executable module \"" +
++ exe_module->GetFileSpec().GetFilename().GetStringRef() + "\"",
++ llvm::inconvertibleErrorCode());
+ }
+
+ lldb::addr_t Target::GetCallableLoadAddress(lldb::addr_t load_addr,
diff --git a/website/static/security/patches/EN-21:10/lldb.patch.asc b/website/static/security/patches/EN-21:10/lldb.patch.asc
new file mode 100644
index 0000000000..533380c6d0
--- /dev/null
+++ b/website/static/security/patches/EN-21:10/lldb.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswDUACgkQ05eS9J6n
+5cKwUw/+LG+VaMCCQu9W9y0YfVoxcvGzSeBO9ZmdL1jrP+REZqHsVEIi4T+vV4JK
+EEBf/Cnp45/86AP9oT6Txt/A+/dGNa91Dq3eB/SfdChGjQg3K5egCThmmQwZfQPI
+VcPyhFSQXUCHfk0ozxQBiNCBZgIg49Nsj/jY3JQUmxF9olTKL2nKVvpOguujkdOC
+FkkSffnQeJw2MUml4Bpn71BOf6XBLxDG5WimzVv5hRi/dwMqn/LU4VIg97LPIa+9
+mZotQDLszKLwyo2HA1iI5/Atg3XnB0PHDHfEAuHp/dReF6OzrG1ZvvLdbZM5WFnY
+HXol3Nd7oafdjI29v6prAlHMTooJOzKJZ2X6Rg9SwPkKVcA0SJFNo5x/0HMMPgnr
+Ybo4rvB7zdLn/SRtGXk0cWy41ahIcDNt/CbaztXm9a/QIHhb18jF2kdOSCvEXDlU
+rMmZMLQ/Rfm2jA/WByK/5wR9E0YO23yMIdI5OW12I48x8IRKKcjdihkk6ilo2F3u
++1c+CvA2c0Lsua+BAMASxoDVvFel0jR9IONku/Bk+mAIWGa2XFCDiH3ssBM8h774
+Qu4IEbpw+EtbF5fMPBDLeycXrGM/P0IO9fd6tyUQFwlN64OPWwSw72nYn3bDD5hJ
+XwzAbUf0aU7MiX8DvqdNB0lBhwicWvWHF6t5N4jRtWM3fadf2NM=
+=XWab
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-21:08/vm_fault.11.patch b/website/static/security/patches/SA-21:08/vm_fault.11.patch
*** 391 LINES SKIPPED ***
More information about the dev-commits-doc-all
mailing list