git: 06731fae1b - main - Add EN-21:09, EN-21:10, and SA-21:08 through SA-21:10. Approved by: so

Gordon Tetlow gordon at FreeBSD.org
Tue Apr 6 20:13:55 UTC 2021


The branch main has been updated by gordon (src committer):

URL: https://cgit.FreeBSD.org/doc/commit/?id=06731fae1bedfd833b102bbb3c81ba6f59b93168

commit 06731fae1bedfd833b102bbb3c81ba6f59b93168
Author:     Gordon Tetlow <gordon at FreeBSD.org>
AuthorDate: 2021-04-06 20:12:54 +0000
Commit:     Gordon Tetlow <gordon at FreeBSD.org>
CommitDate: 2021-04-06 20:12:54 +0000

    Add EN-21:09, EN-21:10, and SA-21:08 through SA-21:10.
    Approved by:    so
---
 website/data/security/advisories.toml              |  12 ++
 website/data/security/errata.toml                  |   8 +
 .../security/advisories/FreeBSD-EN-21:09.pf.asc    | 119 +++++++++++++++
 .../security/advisories/FreeBSD-EN-21:10.lldb.asc  | 119 +++++++++++++++
 .../security/advisories/FreeBSD-SA-21:08.vm.asc    | 166 ++++++++++++++++++++
 .../advisories/FreeBSD-SA-21:09.accept_filter.asc  | 168 ++++++++++++++++++++
 .../advisories/FreeBSD-SA-21:10.jail_mount.asc     | 170 +++++++++++++++++++++
 website/static/security/patches/EN-21:09/pf.patch  |  22 +++
 .../static/security/patches/EN-21:09/pf.patch.asc  |  16 ++
 .../static/security/patches/EN-21:10/lldb.patch    |  54 +++++++
 .../security/patches/EN-21:10/lldb.patch.asc       |  16 ++
 .../security/patches/SA-21:08/vm_fault.11.patch    |  37 +++++
 .../patches/SA-21:08/vm_fault.11.patch.asc         |  16 ++
 .../security/patches/SA-21:08/vm_fault.12.patch    |  37 +++++
 .../patches/SA-21:08/vm_fault.12.patch.asc         |  16 ++
 .../security/patches/SA-21:08/vm_fault.13.patch    |  47 ++++++
 .../patches/SA-21:08/vm_fault.13.patch.asc         |  16 ++
 .../security/patches/SA-21:09/accept_filter.patch  |  26 ++++
 .../patches/SA-21:09/accept_filter.patch.asc       |  16 ++
 .../security/patches/SA-21:10/jail_mount.11.patch  |  15 ++
 .../patches/SA-21:10/jail_mount.11.patch.asc       |  16 ++
 .../security/patches/SA-21:10/jail_mount.12.patch  |  17 +++
 .../patches/SA-21:10/jail_mount.12.patch.asc       |  16 ++
 .../security/patches/SA-21:10/jail_mount.13.patch  |  17 +++
 .../patches/SA-21:10/jail_mount.13.patch.asc       |  16 ++
 25 files changed, 1178 insertions(+)

diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 08e22e3be7..b3a4c14939 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,18 @@
 # Sort advisories by year, month and day
 # $FreeBSD$
 
+[[advisories]]
+name = "FreeBSD-SA-21:10.jail_mount"
+date = "2021-04-06"
+
+[[advisories]]
+name = "FreeBSD-SA-21:09.accept_filter"
+date = "2021-04-06"
+
+[[advisories]]
+name = "FreeBSD-SA-21:08.vm"
+date = "2021-04-06"
+
 [[advisories]]
 name = "FreeBSD-SA-21:07.openssl"
 date = "2021-03-25"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index d6a17c8a9b..bf235e7212 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,14 @@
 # Sort errata notices by year, month and day
 # $FreeBSD$
 
+[[notices]]
+name = "FreeBSD-EN-21:10.lldb"
+date = "2021-04-06"
+
+[[notices]]
+name = "FreeBSD-EN-21:09.pf"
+date = "2021-04-06"
+
 [[notices]]
 name = "FreeBSD-EN-21:08.freebsd-update"
 date = "2021-02-24"
diff --git a/website/static/security/advisories/FreeBSD-EN-21:09.pf.asc b/website/static/security/advisories/FreeBSD-EN-21:09.pf.asc
new file mode 100644
index 0000000000..16e3bb7d68
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:09.pf.asc
@@ -0,0 +1,119 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:09.pf                                             Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          net.pf.request_maxcount not settable from loader.conf(5)
+
+Category:       core
+Module:         pf
+Announced:      2021-04-06
+Affects:        FreeBSD 12.2
+Corrected:      2020-12-15 08:29:45 UTC (stable/12, 12.2-STABLE)
+                2021-04-06 19:21:24 UTC (releng/12.2, 12.2-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+pf(4) is an Internet Protocol packet filter originally written for OpenBSD.
+
+II.  Problem Description
+
+The net.pf.request_maxcount sysctl provides an upper bound on the amount of
+memory used by pf(4) to store various types of state.  Prior to FreeBSD 12.2
+this sysctl was read-only and could only be adjusted via loader.conf(5).  In
+FreeBSD 12.2, the sysctl was made writeable, but lost the ability to be
+adjusted from loader.conf(5).
+
+III. Impact
+
+pf(4) may fail to load filtering rules if they cause the default
+request_maxcount bound to be exceeded.  Users that relied on loader.conf to
+increase the request_maxcount value could see their rules fail to load. 
+
+IV.  Workaround
+
+The value of request_maxcount may be set via sysctl.conf(5).
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:09/pf.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:09/pf.patch.asc
+# gpg --verify pf.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r368656
+releng/12.2/                                                      r369554
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:09.pf.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswB8ACgkQ05eS9J6n
+5cLYFw//fkTpjSXiflCHENinkk3u72W8Pxw4vvhDl9DBSHUdYi+fzB6t70xxUcnH
+wsjJcyMe1nqU7BVYFYo+aIkDL2yeW+PlJVrVfLcuWn8OwX7R0WbCM13EF75WZmlM
+Ty6YWPZkqYAWc0lbBYWiEtW+f6m5FTgdlvsXnTBENiz3iX2ddNkFK+qcEY9sasiJ
+HjsIoM1bs41YAgiOByyuh1xqMr+ieB4QQQ3QAbBmkqqPqBu1Nk0Xcpmos0sBf6Sn
+dSPDBMcKfJ4VelSGBnn98bXjjyLeiwbfBhNceCbI8eIgulTWboMJHg9XoUWMwWhJ
+314OOq0D0CssWj9136dKLxQc+gWyu5xfszenfbA1k9rrFY5uKOBVUMgK8b9meWfH
+WX1CscDTYe4wCp/YpT/oU31PJfm0foFNWnOel7hDrlNwe0t+ElVX56xyy19BLQ/9
+tgZ1CIZv6IihMxxBDnayU/SUVB5bJxfwHXZb845xjKB+owNYaw5pwHhEgLYWklAL
+A6a6Lja5dzVn1KsrHfUb11KEzWvUvtqp0y6vaZv6UTSLI9FfaSL/xA6uy3Ft/r/E
+OvD0qL/ShKmA/jvLG6vxJe0XQjU9JMI/FViPrs4YLCpFymRXthokoXoD1FyK6Hgn
+aMBdWTVEGHuQFG37OZIxr7AvefR0d3MXPbReXVKnn367VdbZ1lw=
+=7QHR
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:10.lldb.asc b/website/static/security/advisories/FreeBSD-EN-21:10.lldb.asc
new file mode 100644
index 0000000000..ac25f41455
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:10.lldb.asc
@@ -0,0 +1,119 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:10.lldb                                           Errata Notice
+                                                          The FreeBSD Project
+
+Topic:		lldb abort on print command
+
+Category:       contrib
+Module:         lldb
+Announced:      2021-04-06
+Affects:        FreeBSD 12.2
+Corrected:      2020-10-31 18:42:03 UTC (stable/12, 12.2-STABLE)
+                2021-04-06 19:21:27 UTC (releng/12.2, 12.2-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+lldb is the debugger from the LLVM project.  Version 10.0.1 is included
+in FreeBSD 12.2.
+
+II.  Problem Description
+
+Attempts to use lldb's `print` command (`p` alias) resulted in lldb
+aborting.
+
+III. Impact
+
+Some common debugger functionality cannot be used.
+
+IV.  Workaround
+
+No general workaround is available.  Information provided by certain print
+expressions may be available by using other commands, such as
+`frame variable`  (`fr v` alias).
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:10/lldb.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:10/lldb.patch.asc
+# gpg --verify lldb.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r367228
+releng/12.2/                                                      r369555
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248745>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:10.lldb.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswDUACgkQ05eS9J6n
+5cL7iRAAnlsryVy3aJFQIMghO7+rOwwpFnxlDponVvzIkeNH2x3c62V81eAhUIvj
+q6TvEp2dNQdaTDoN6ytPoL+ek4sBh8WdVt0R8sWnUbEDf1BhvGQ3P9eT4q8Thx+Z
+wB3L40pLQZFapINmpEIp7xwcWJv8xiKxmY2PDOcNkju5GWD4OatoMuCx5iMNwQ+g
+7aYUL1gUhvcudSMghJ+jH6Pre2Yq+y+ziAhmGB0QOREOEoguXvJwgdO+clZHdFl2
+E1Yudhfr0v6afQFL9RzX+Ck6ft9KBPd9rzZwc2bTHfi08zmAy63FN3Bxvx/8O/EJ
+9NXRJHv0zuVSOZePKJ6qv1ap5f7RLzLN7ztaUQMCxkqCoRsdV3UYsUCkE8NH/ZOT
+NZ7zZCmL7zHpn17QX7tBqqYeAHtFJLAlXaBiSIxYOaKM87GMMmvpb+06f9frwtuu
+lOxzY0l7H+iWsSakdsoUrtL+wNvOM3wFafHtDSXDyHbSUKWiWa3yubzl8szIgCrX
+GhW84r3MdaVSm3EQQS2qQux+9HTLcx5Lh0+BVmeA36VBwNeG+wc8t5eZYc4xSlJh
+jIv2CRPm97e5796O5gGtjqyiidSL2lfw9tHE3H/1gqn/2DLNFbM+DcwgI20Wfz4u
+hdhN//GsIDiOA9BwClgIW6Vbs/V5B9uN8E/RH4lFggmJAkkPWGU=
+=boNk
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-21:08.vm.asc b/website/static/security/advisories/FreeBSD-SA-21:08.vm.asc
new file mode 100644
index 0000000000..d9513f4eee
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-21:08.vm.asc
@@ -0,0 +1,166 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:08.vm                                         Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Memory disclosure by stale virtual memory mapping
+
+Category:       core
+Module:         vm
+Announced:      2021-04-06
+Credits:        Ryan Libby, Dell Inc.
+Affects:        All supported versions of FreeBSD.
+Corrected:      2021-04-06 18:50:46 UTC (stable/13, 13.0-STABLE)
+                2021-04-06 19:18:49 UTC (releng/13.0, 13.0-RC5-p1)
+                2021-04-06 19:20:46 UTC (stable/12, 12.2-STABLE)
+                2021-04-06 19:21:30 UTC (releng/12.2, 12.2-RELEASE-p6)
+                2021-04-06 19:22:31 UTC (stable/11, 11.4-STABLE)
+                2021-04-06 19:22:56 UTC (releng/11.4, 11.4-RELEASE-p9)
+CVE Name:       CVE-2021-29626
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Memory mappings shared between processes are a feature of the FreeBSD
+virtual memory system.  They may be established by unprivileged
+processes with the mmap(2), fork(2), and other system calls.
+
+II.  Problem Description
+
+A particular case of memory sharing is mishandled in the virtual memory
+system.  It is possible and legal to establish a relationship where
+multiple descendant processes share a mapping which shadows memory of an
+ancestor process.  In this scenario, when one process modifies memory
+through such a mapping, the copy-on-write logic fails to invalidate
+other mappings of the source page.  These stale mappings may remain even
+after the mapped pages have been reused for another purpose.
+
+III. Impact
+
+An unprivileged local user process can maintain a mapping of a page
+after it is freed, allowing that process to read private data belonging
+to other processes or the kernel.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.0]
+# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.13.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.13.patch.asc
+# gpg --verify vm_fault.13.patch.asc
+
+[FreeBSD 12.2]
+# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.12.patch.asc
+# gpg --verify vm_fault.12.patch.asc
+
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.11.patch.asc
+# gpg --verify vm_fault.11.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                      Hash                            Revision
+- -------------------------------------------------------------------------
+stable/13/                       2e08308d62f3           stable/13-n245117
+releng/13.0/                     724bc23da1a9         releng/13.0-n244728
+stable/12/                                                        r369551
+releng/12.2/                                                      r369556
+stable/11/                                                        r369559
+releng/11.4/                                                      r369561
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing HHHHHH with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=HHHHHH>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29626>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:08.vm.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveMACgkQ05eS9J6n
+5cJ0Xw/+JFP6UKPMxcYwmAmIoDS5YAsUzuDVQNooZzOQiltyVqPrHD3Dh/32+Tm3
+W6yeITNcnUbVhFBPli3x0pHldCCcj1JQNtzUYcS/DKNvD2LxjB4bhiiE0YHImaP9
+JWOMoc5rNYpOl4iKK5DZkQAxZsHu1zFSVt+0O/aL70bDCYupsslWBbRRkxgkeShW
+wGFhSMhlJ1QnnygzsICbyK5GP4XYqfAWZ5dviznNcZLrOifCLG6HNxixfOG/vf33
+yZzwA7RSNpOyULC1AYmUqiEZWgABL63hOIiraD0sASteBhMY/DCjq/QLZKsaONsp
+FYemSTnW1hs1MVfTm4ecwgZJEJf8bV7cQXrxA3bLJmRoN9CcTGHDQCjFKHvMVXSe
+qU/n+CICO6Ly8nTmL0xYjpJLEQaQfC/98hXk2otpgIia8r5Gn1MOwooTdN+KWlfA
+LHzuP0Wf5NIjo1QkbbBRUSfCjV+dbGzRxgCYTGj1dN+XbR0uxeVtWeKXU3WaDIYI
+6sT3L41yUBvEce7h/449RunNjRb5nuWczh3YTIzqDA3dEStLPKxlzL790M8TId6e
+XE+YclkxSTNMuxvCEw/vDJB4bZ2eOQ6noSzfrUqxjGnbtcuYP/RJGc3XrVZpiXbY
+u+OuE4Owve9e/sNCRqZeEQ2CHnntCdji0sk/CAlbkHcdHYPbunI=
+=rC4V
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-21:09.accept_filter.asc b/website/static/security/advisories/FreeBSD-SA-21:09.accept_filter.asc
new file mode 100644
index 0000000000..0e58b59b15
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-21:09.accept_filter.asc
@@ -0,0 +1,168 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:09.accept_filter                              Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          double free in accept_filter(9) socket configuration interface
+
+Category:       core
+Module:         accept_filter
+Announced:      2021-04-06
+Credits:	Alexey Kulaev
+Affects:        FreeBSD 12.2 and later.
+Corrected:      2021-03-28 00:24:15 UTC (stable/13, 13.0-STABLE)
+                2021-03-28 15:03:37 UTC (releng/13.0, 13.0-RC4)
+                2021-03-28 00:26:49 UTC (stable/12, 12.2-STABLE)
+                2021-04-06 19:21:21 UTC (releng/12.2, 12.2-RELEASE-p6)
+CVE Name:       CVE-2021-29627
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD features an accept_filter(9) mechanism which allows an
+application to request that the kernel pre-process incoming connections.
+For example, the accf_http(9) accept filter prevents accept(2) from
+returning until a full HTTP request has been buffered.
+
+No accept filters are enabled by default.  A system administrator must
+either compile the FreeBSD kernel with a particular accept filter option
+(such as ACCEPT_FILTER_HTTP) or load the filter using kldload(8) in
+order to utilize accept filters.
+
+II.  Problem Description
+
+An unprivileged process can configure an accept filter on a listening
+socket.  This is done using the setsockopt(2) system call.  The process
+supplies the name of the accept filter which is to be attached to the
+socket, as well as a string containing filter-specific information.
+
+If the filter implements the accf_create callback, the socket option
+handler attempts to preserve the process-supplied argument string.  A
+bug in the socket option handler caused this string to be freed
+prematurely, leaving a dangling pointer.  Additional operations on the
+socket can turn this into a double free or a use-after-free.
+
+III. Impact
+
+The bug may be exploited to trigger local privilege escalation or kernel
+memory disclosure.
+
+IV.  Workaround
+
+Systems not using accept filters, or using only the accept filters
+included with the FreeBSD base system (accf_data(9), accf_dns(9), and
+accf_http(9)) are unaffected.  Note that no accept filters are loaded
+in the kernel by default.
+
+Systems using a third-party accept filter module are affected if the
+module defines an accf_create callback.  In this case, the only
+workaround is to ensure that the module is not loaded into the kernel.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-21:09/accept_filter.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:09/accept_filter.patch.asc
+# gpg --verify accept_filter.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                      Hash                            Revision
+- -------------------------------------------------------------------------
+stable/13/                       c7d10e7ec872           stable/13-n245050
+releng/13.0/                     af6611e5adc6         releng/13.0-n244711
+stable/12/                                                        r369525
+releng/12.2/                                                      r369553
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing HHHHHH with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=HHHHHH>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on vulnerability>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29627>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:09.accept_filter.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveMACgkQ05eS9J6n
+5cIfkA//bD0wm/rhdTUkyCeKhDCocFC/elfC+g7FsiG/eNJFh0mAiuTrC9Ja9+TN
+QU4xjZPx0kN6PxAgEzCqH2NgSL+MwW60ApxlH/kVhcFU/tOrUxmuFg8u9bk6/gU3
+xRcpHzT5M4iFzrdyimbc9UvKHZet1Hh7CkIQwQZWvdrJYL3p+lODe3DpS9OUXcaJ
+S6eHGzMlTKQsV5m3vGEefRP1ByDNOT4w3q+w6s0K381ck8Y+k1SLQLLDZJuNR752
+ixZdUg/oE82PIosoH8SXP8bHklRcHFsa6DmTLYGxxpKh9l++CyiytiQThUIlClfY
+2KOKh1Y4ND5FU001g98OdikgfRJhf9mQIk4ytNyBjey3c/aBFtcJHzydrV5uPg4u
+SPvk59SEiRVZswQkR+kpXD8Maa7jkRTe6qbBhQ5+CiXEO/FWF108OVULn0saDycp
+NtGNa6Htichm+RWPeHnbCo5OwSW0wDHKUB2yP/EcCOkJtBPOBpL8r3iJSnk5ZsrH
+mTQeQzSrbzeD/pMOiEor6AIKjJoII2rWIT6v2RaofY5vb30kQl56/m7nrN1bm6n1
+aatAsvJvFIaE6LVKkCpIkKaHEEmgOpf5/p4n2xia8i6xUc1BN14nq0xEaqGskesS
+bAe1TJZJnc6hHvdJVhuLxdT1CSStG56BrkJd2RtCAenwatJaRzQ=
+=UfpF
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-21:10.jail_mount.asc b/website/static/security/advisories/FreeBSD-SA-21:10.jail_mount.asc
new file mode 100644
index 0000000000..dd5b048a37
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-21:10.jail_mount.asc
@@ -0,0 +1,170 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:10.jail_mount                                 Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          jail escape possible by mounting over jail root
+
+Category:       core
+Module:         jail
+Announced:      2021-04-06
+Credits:        Mateusz Guzik
+Affects:        All supported versions of FreeBSD.
+Corrected:      2021-04-06 18:50:48 UTC (stable/13, 13.0-STABLE)
+                2021-04-06 19:18:59 UTC (releng/13.0, 13.0-RC5-p1)
+                2021-04-06 19:20:50 UTC (stable/12, 12.2-STABLE)
+                2021-04-06 19:21:33 UTC (releng/12.2, 12.2-RELEASE-p6)
+                2021-04-06 19:22:31 UTC (stable/11, 11.4-STABLE)
+                2021-04-06 19:22:59 UTC (releng/11.4, 11.4-RELEASE-p9)
+CVE Name:       CVE-2020-25584
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The jail(2) system call allows a system administrator to lock a process
+and all of its descendants inside an environment with a very limited
+ability to affect the system outside that environment, even for
+processes with superuser privileges.  It is an extension of, but
+far more powerful than, the traditional UNIX chroot(2) system call.
+
+II.  Problem Description
+
+Due to a race condition between lookup of ".." and remounting a filesystem,
+a process running inside a jail might access filesystem hierarchy outside
+of jail.
+
+III. Impact
+
+A process with superuser privileges running inside a jail configured
+with the allow.mount permission (not enabled by default) could change the root
+directory outside of the jail, and thus gain full read and write access
+to all files and directories in the system.
+
+IV.  Workaround
+
+As a workaround, disable allow.mount permission for all jails with untrusted
+root users; see jail(1) and jail.conf(5) manual pages for details.
+
+Note that this permission is not enabled by default.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.0]
+# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.13.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.13.patch.asc
+# gpg --verify jail_mount.13.patch.asc
+
+[FreeBSD 12.2]
+# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.12.patch.asc
+# gpg --verify jail_mount.12.patch.asc
+
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.11.patch.asc
+# gpg --verify jail_mount.11.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                      Hash                            Revision
+- -------------------------------------------------------------------------
+stable/13/                       3ae17faa3704           stable/13-n245118
+releng/13.0/                     4710439ec594         releng/13.0-n244729
+stable/12/                                                        r369552
+releng/12.2/                                                      r369557
+stable/11/                                                        r369560
+releng/11.4/                                                      r369562
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing HHHHHH with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=HHHHHH>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on vulnerability>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25584>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:10.jail_mount.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveQACgkQ05eS9J6n
+5cIujRAAoTOIB1bMhDN3w382izu+g4L4HATqhOyKlf3Ezwlnmckt4s+ERar7EWND
+4MayXSogCYwYwb6gsfBsqEdAJwhID1zkBDmC9LaYKehOLMMdPOCbpemJ3xT0540m
+S4MJ+vPBT2NZ8NsUGNNpIF/mZTgwDai4WSBCr/0OIyNDd+nzStOv0d8h3aNGNweW
+p/pvETnf/FtR9kACZ2HuiHtOx2IvQv8+n4gjefl440fz8czb3nftdGHRXLc0Kkcy
+T/l3Y0SgBvXmlhtmhGZmF787Bw/5No+fbKZ4AuTMms42OWz8y02ZjFCvwXEu7/tC
+f9eeFUzpR+rjNr0MMFEm1GBPNgbdF4v/IhnUA4gWrhjp1sh+4SjHoFhS1tfdY6gf
+W76eyT0B8oDOLK4Jo76iTjvN1sZ0wctOaq7yk+7rGbhSUFUohQmtsMbvGOfHIVxl
+DlJ9faccWJLOjbeUAVhVMbowT3/QKqnbuRpkq6U7YIcs9P4cg8RUrokCOiGd5pBz
+PD5zpNcRCe69c+d39XDGDiBjPm4mQK1VEOr90gcAlE5yioxUW6qlHkFrp/Mje6dX
+25Sb1q1zwjn3rM1moIeRXmx+ioLAT9ZWpYs5IvKsuRw4VmppIjA6TWm8ECbjKQKG
+yPuUgUyxoIoEJgQNmJaM2Rk/fKijyVjEG22jlDNwCxASE4vJ7Xw=
+=g2On
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:09/pf.patch b/website/static/security/patches/EN-21:09/pf.patch
new file mode 100644
index 0000000000..7407c4494a
--- /dev/null
+++ b/website/static/security/patches/EN-21:09/pf.patch
@@ -0,0 +1,22 @@
+    MFC r368588:
+    
+    pf: Allow net.pf.request_maxcount to be set from loader.conf
+    
+    Mark request_maxcount as RWTUN so we can set it both at runtime and from
+    loader.conf. This avoids users getting caught out by the change from tunable to
+    run time configuration.
+    
+    Suggested by:   Franco Fichtner
+    
+    (cherry picked from commit 08d13750ebdae45bcdb73d52665b823e9ba93db1)
+--- sys/netpfil/pf/pf.c.orig
++++ sys/netpfil/pf/pf.c
+@@ -382,7 +382,7 @@
+     &pf_hashsize, 0, "Size of pf(4) states hashtable");
+ SYSCTL_ULONG(_net_pf, OID_AUTO, source_nodes_hashsize, CTLFLAG_RDTUN,
+     &pf_srchashsize, 0, "Size of pf(4) source nodes hashtable");
+-SYSCTL_ULONG(_net_pf, OID_AUTO, request_maxcount, CTLFLAG_RW,
++SYSCTL_ULONG(_net_pf, OID_AUTO, request_maxcount, CTLFLAG_RWTUN,
+     &pf_ioctl_maxcount, 0, "Maximum number of tables, addresses, ... in a single ioctl() call");
+ 
+ VNET_DEFINE(void *, pf_swi_cookie);
diff --git a/website/static/security/patches/EN-21:09/pf.patch.asc b/website/static/security/patches/EN-21:09/pf.patch.asc
new file mode 100644
index 0000000000..1b708cc8a3
--- /dev/null
+++ b/website/static/security/patches/EN-21:09/pf.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswCIACgkQ05eS9J6n
+5cL9LA/+JMfWVH4WcjeN+0mci/eV/7arH0CQWNHgBL5h6Jqgqbj+1rzIZoMxuzGM
+bgrikYYRsjvGcikGOuToWx2sxxCPuCIGN2PQV3Z+rmQYUp+lHx33SZiJ/gwMLv43
+7aY3VB8Zpqar/MJbWHlJM9tRcrwEZIDaJZqUqsku57RWvAj5uPd7TMW3Ount0Dza
+wbDy+qgO9MJZsP9IE2ePi0M7bHtqOkLhK4KcXoYmzNkZ5n3W+edUH6AKoLBddoCA
+N6FC69MGJWAWY59bMGRLfexMB8LCal22orRe+zABWVelNM3Y36ymABaA1i/H4lYc
+XbB9lwkkzttXyO10UBOq2jNMjZ0VG5MA59TjfyMtszaEFHsp3PEH7gEO1nmCO+hi
+fiol4UGpcHUyufIwBQE3f8fj8iFWNDu7vHGMCmNoNjUP98TskhEQ6ZzW+fIrgIRh
+oq8cFcGE5uHXACvlWpQ+PZrqGC/D/4t9OK0mOCYkekDJvG93ejFxz8Bck0zk2Tc4
+ICoduClnotLtTCP2wtkszXmrH0JYGvSrN0sxSMtEPY+6wnuEtrJnN6e3MKA/f2GP
+KsAO7poiz9QEieimD5+Tw4WfCGuOTliRZNvrWO7B6GUF9cRP1Ttr2AIx7vdjhdVt
+uUOd2R7FgFmVsCzLIhmyFh4aTZgwf3bXr91tHa5iD4wtw0h9Z/I=
+=ESG4
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:10/lldb.patch b/website/static/security/patches/EN-21:10/lldb.patch
new file mode 100644
index 0000000000..38f58bfa57
--- /dev/null
+++ b/website/static/security/patches/EN-21:10/lldb.patch
@@ -0,0 +1,54 @@
+--- contrib/llvm-project/lldb/source/Target/Target.cpp.orig
++++ contrib/llvm-project/lldb/source/Target/Target.cpp
+@@ -2412,21 +2412,13 @@
+ 
+ llvm::Expected<lldb_private::Address> Target::GetEntryPointAddress() {
+   Module *exe_module = GetExecutableModulePointer();
+-  llvm::Error error = llvm::Error::success();
+-  assert(!error); // Check the success value when assertions are enabled.
+ 
+-  if (!exe_module || !exe_module->GetObjectFile()) {
+-    error = llvm::make_error<llvm::StringError>("No primary executable found",
+-                                                llvm::inconvertibleErrorCode());
+-  } else {
++  // Try to find the entry point address in the primary executable.
++  const bool has_primary_executable = exe_module && exe_module->GetObjectFile();
++  if (has_primary_executable) {
+     Address entry_addr = exe_module->GetObjectFile()->GetEntryPointAddress();
+     if (entry_addr.IsValid())
+       return entry_addr;
+-
+-    error = llvm::make_error<llvm::StringError>(
+-        "Could not find entry point address for executable module \"" +
+-            exe_module->GetFileSpec().GetFilename().GetStringRef() + "\"",
+-        llvm::inconvertibleErrorCode());
+   }
+ 
+   const ModuleList &modules = GetImages();
+@@ -2437,14 +2429,21 @@
+       continue;
+ 
+     Address entry_addr = module_sp->GetObjectFile()->GetEntryPointAddress();
+-    if (entry_addr.IsValid()) {
+-      // Discard the error.
+-      llvm::consumeError(std::move(error));
++    if (entry_addr.IsValid())
+       return entry_addr;
+-    }
+   }
+ 
+-  return std::move(error);
++  // We haven't found the entry point address. Return an appropriate error.
++  if (!has_primary_executable)
++    return llvm::make_error<llvm::StringError>(
++        "No primary executable found and could not find entry point address in "
++        "any executable module",
++        llvm::inconvertibleErrorCode());
++
++  return llvm::make_error<llvm::StringError>(
++      "Could not find entry point address for primary executable module \"" +
++          exe_module->GetFileSpec().GetFilename().GetStringRef() + "\"",
++      llvm::inconvertibleErrorCode());
+ }
+ 
+ lldb::addr_t Target::GetCallableLoadAddress(lldb::addr_t load_addr,
diff --git a/website/static/security/patches/EN-21:10/lldb.patch.asc b/website/static/security/patches/EN-21:10/lldb.patch.asc
new file mode 100644
index 0000000000..533380c6d0
--- /dev/null
+++ b/website/static/security/patches/EN-21:10/lldb.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswDUACgkQ05eS9J6n
+5cKwUw/+LG+VaMCCQu9W9y0YfVoxcvGzSeBO9ZmdL1jrP+REZqHsVEIi4T+vV4JK
+EEBf/Cnp45/86AP9oT6Txt/A+/dGNa91Dq3eB/SfdChGjQg3K5egCThmmQwZfQPI
+VcPyhFSQXUCHfk0ozxQBiNCBZgIg49Nsj/jY3JQUmxF9olTKL2nKVvpOguujkdOC
+FkkSffnQeJw2MUml4Bpn71BOf6XBLxDG5WimzVv5hRi/dwMqn/LU4VIg97LPIa+9
+mZotQDLszKLwyo2HA1iI5/Atg3XnB0PHDHfEAuHp/dReF6OzrG1ZvvLdbZM5WFnY
+HXol3Nd7oafdjI29v6prAlHMTooJOzKJZ2X6Rg9SwPkKVcA0SJFNo5x/0HMMPgnr
+Ybo4rvB7zdLn/SRtGXk0cWy41ahIcDNt/CbaztXm9a/QIHhb18jF2kdOSCvEXDlU
+rMmZMLQ/Rfm2jA/WByK/5wR9E0YO23yMIdI5OW12I48x8IRKKcjdihkk6ilo2F3u
++1c+CvA2c0Lsua+BAMASxoDVvFel0jR9IONku/Bk+mAIWGa2XFCDiH3ssBM8h774
+Qu4IEbpw+EtbF5fMPBDLeycXrGM/P0IO9fd6tyUQFwlN64OPWwSw72nYn3bDD5hJ
+XwzAbUf0aU7MiX8DvqdNB0lBhwicWvWHF6t5N4jRtWM3fadf2NM=
+=XWab
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-21:08/vm_fault.11.patch b/website/static/security/patches/SA-21:08/vm_fault.11.patch
*** 391 LINES SKIPPED ***


More information about the dev-commits-doc-all mailing list