svn commit: r47125 - in head/share: security/advisories security/patches/SA-15:14 security/patches/SA-15:15 security/patches/SA-15:16 security/patches/SA-15:17 xml
Xin LI
delphij at FreeBSD.org
Tue Jul 28 20:17:14 UTC 2015
Author: delphij
Date: Tue Jul 28 20:17:10 2015
New Revision: 47125
URL: https://svnweb.freebsd.org/changeset/doc/47125
Log:
Add SA-15:14 - SA-15:17.
Added:
head/share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-15:15.tcp.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-15:16.openssh.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-15:17.bind.asc (contents, props changed)
head/share/security/patches/SA-15:14/
head/share/security/patches/SA-15:14/bsdpatch.patch (contents, props changed)
head/share/security/patches/SA-15:14/bsdpatch.patch.asc (contents, props changed)
head/share/security/patches/SA-15:15/
head/share/security/patches/SA-15:15/tcp-8.patch (contents, props changed)
head/share/security/patches/SA-15:15/tcp-8.patch.asc (contents, props changed)
head/share/security/patches/SA-15:15/tcp-9.3-10.1.patch (contents, props changed)
head/share/security/patches/SA-15:15/tcp-9.3-10.1.patch.asc (contents, props changed)
head/share/security/patches/SA-15:15/tcp.patch (contents, props changed)
head/share/security/patches/SA-15:15/tcp.patch.asc (contents, props changed)
head/share/security/patches/SA-15:16/
head/share/security/patches/SA-15:16/openssh-8.patch (contents, props changed)
head/share/security/patches/SA-15:16/openssh-8.patch.asc (contents, props changed)
head/share/security/patches/SA-15:16/openssh.patch (contents, props changed)
head/share/security/patches/SA-15:16/openssh.patch.asc (contents, props changed)
head/share/security/patches/SA-15:17/
head/share/security/patches/SA-15:17/bind.patch (contents, props changed)
head/share/security/patches/SA-15:17/bind.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc Tue Jul 28 20:17:10 2015 (r47125)
@@ -0,0 +1,134 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:14.bsdpatch Security Advisory
+ The FreeBSD Project
+
+Topic: shell injection vulnerability in patch(1)
+
+Category: contrib
+Module: patch
+Announced: 2015-07-28
+Credits: Martin Natano
+Affects: FreeBSD 10.x.
+Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
+ 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
+ 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
+ 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
+CVE Name: CVE-2015-1416
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The patch(1) utility takes a patch file produced by the diff(1) program and
+apply the differences to an original file, producing a patched version.
+
+The patch(1) utility supports certain version control systems, namely SCCS
+and RCS, and attempts to get or check out the file before applying a patch,
+if the original file do not already exist.
+
+II. Problem Description
+
+Due to insufficient sanitization of the input patch stream, it is possible
+for a patch file to cause patch(1) to run commands in addition to the desired
+SCCS or RCS commands.
+
+III. Impact
+
+This issue could be exploited to execute arbitrary commands as the user
+invoking patch(1) against a specically crafted patch file, which could be
+leveraged to obtain elevated privileges.
+
+IV. Workaround
+
+No workaround is available, but systems where a privileged user does not
+make use of patches without proper validation are not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+A reboot is not required after updating.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+A reboot is not required after updating.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch.asc
+# gpg --verify bsdpatch.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r285976
+releng/10.1/ r285978
+releng/10.2/ r285979
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1416>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:14.bsdpatch.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVt+JfAAoJEO1n7NZdz2rnmAAP/37DmuKX127SHD4Au3a1xy2F
+90RP1doqTzpq2w3wzn8JPPK/IUxG6yjDWUk097/aadSMSiUWi/RyTERe68ZNHDia
+IkcTnvF1308OM91yAJDogTKyCpomZwWqkhDhT8qRIkRijr7gr0q3SYF2Uqrj+QKy
+fvhJrEEjhv9Lgw8I1qmnxWCpcmkKaW2Fm1eqplYlPOIwJky+2+Ddzv5PcjtQTjye
+tNIkF9D+ILmGFbotKbNPDKSxapreLOsyDnf0W9QMURi7UolF9AClZnerfVZUWy78
+4lJdbC9q5bf/FNUDv2o928hMgG+cc+blaH8AGXGOgxOx3ok0XWp3xEWRJnggyrZX
+P6NN39u6yFSIrYaNHEwYLFGCIeA0nGWVLupq5h6WwJ+mhCpHz90kMw/5unlXc/wS
+mfFVMeoFiqL227qBgB4azQkiBjN/fVsqPcMv/xk0PNYHaRPS/DASRYPSJF2gXY7h
+fjemohKs9wmyc78nyrnayffPQ6hkXvVzw9zMfLJ1XWg/Fa/5X4u/POggivzGI4ia
+yrvp3zd4avNbEVwlirTxxYgQJ1X44JwTP3Tkq11fea9WJcJtjLTWpIwrHSd8PHEg
+n3r4bo52iPyaGORGUw3Zhx93gOse+I3ayXmBEVJLGDONlEdUf/uju0kSIyCXn4ab
+LvnW7evT5KHA0rh5B07E
+=JTtx
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-15:15.tcp.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:15.tcp.asc Tue Jul 28 20:17:10 2015 (r47125)
@@ -0,0 +1,187 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:15.tcp Security Advisory
+ The FreeBSD Project
+
+Topic: Resource exhaustion in TCP reassembly
+
+Category: core
+Module: inet
+Announced: 2015-07-28
+Credits: Patrick Kelsey (Norse Corporation)
+Affects: All supported versions of FreeBSD.
+Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
+ 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
+ 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
+ 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
+ 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
+ 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
+ 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
+ 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
+CVE Name: CVE-2015-1417
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
+provides a connection-oriented, reliable, sequence-preserving data
+stream service.
+
+The underlying simple and potentially unreliable IP datagram
+communication protocol may deliver segments out of order, therefore,
+the TCP receiver would need to reassemble the segments into their
+original sequence to provide a reliable octet stream. Because the
+reassembly requires additional resources to keep the queued segments,
+historically resource exhaustion in the TCP reassembly path has been
+prevented by limiting the total number of segments that could belong
+to reassembly queues to a small fraction (1/16) of the total number of
+mbuf clusters in the system.
+
+VNET is a technique to virtualize the network stack, first introduced in
+FreeBSD 8.0. It changes global resources in the network stack into per
+network stack resources, so that a virtual network stack can be attached
+to a jailed prison and the prison can have unrestricted access to the
+virtual network stack. VNET is not enabled by default and has to be
+enabled by recompiling the kernel.
+
+II. Problem Description
+
+There is a mistake with the introduction of VNET, which converted the
+global limit on the number of segments that could belong to reassembly
+queues into a per-VNET limit. Because mbufs are allocated from a
+global pool, in the presence of a sufficient number of VNETs, the
+total number of mbufs attached to reassembly queues can grow to the
+total number of mbufs in the system, at which point all network
+traffic would cease.
+
+III. Impact
+
+An attacker who can establish concurrent TCP connections across a
+sufficient number of VNETs and manipulate the inbound packet streams
+such that the maximum number of mbufs are enqueued on each reassembly
+queue can cause mbuf cluster exhaustion on the target system, resulting
+in a Denial of Service condition.
+
+As the default per-VNET limit on the number of segments that can
+belong to reassembly queues is 1/16 of the total number of mbuf
+clusters in the system, only systems that have 16 or more VNET
+instances are vulnerable.
+
+IV. Workaround
+
+FreeBSD 8.x, 9.x and 10.x systems that do not make use of VNETs
+(option VIMAGE) are not affected. The support has to be specifically
+compiled into a custom kernel, so its use is not common.
+
+For affected systems, the system administrators may consider reducing
+the net.inet.tcp.reass.maxsegments tunable to the value of
+kern.ipc.nmbclusters divided by one greater than the total number of
+VNETs that are going to be used in the system in order to prevent a
+Denial of Service via this vulnerability. For example, if there are
+16 VNETs in the system, the net.inet.tcp.reass.maxsegments tunable
+should be set to kern.ipc.nmbclusters / 17.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+And reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.2]
+# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch.asc
+# gpg --verify tcp.patch.asc
+
+[FreeBSD 9.3 and 10.1]
+# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch.asc
+# gpg --verify tcp-9.3-10.1.patch.asc
+
+[FreeBSD 8.4]
+# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch.asc
+# gpg --verify tcp-8.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r285977
+releng/8.4/ r285980
+stable/9/ r285977
+releng/9.3/ r285980
+stable/10/ r285976
+releng/10.1/ r285979
+releng/10.2/ r285978
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1417>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:15.tcp.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVt+FcAAoJEO1n7NZdz2rnOAgQAKw0jR1Eb/USmcXlFpfMrmUr
+Z6UWHsPqE9CwDJaFddrFBRyjCsbeBv4LmPyVcOKJoqspEb8P52GtBNDe9vqcco1U
+C+KpcQQKWTQmu170AdLAIRVvLjoNEX0C09ig4XMbKpisrmQ8zLXavTbTw8FlbPXq
+o9t0nFgPKsDfaXJF3Oas41K/NsBj4hdqnfx+R7KeOaJ6sSwiFGbRxqQ+GG3k+79a
+RI+KVLpw4QV/IkhXKzl416o6uk7eWnJu72GohdrxPvXYWHBVSBkSiT7pLl3O5C7r
+7+dpYyF9f4K0gnXLuATNixNS2/lL2WaJANb75ku7WnY2I5Yjx1oM2r5kE2eJ6Z/c
+WXGnDE9/8SOVURqMwnpQgzVGopKZags0+X7FJAYKeW4/nWyUEAmDlQ+9dY7o/I0M
+urFD+bsSxnrlGLLzjX55zKM1qyGlhNokowSusVeNlSEOl8/QV57CuyQDZ0wdAiUd
+R2yl+fFxRKn4AeCMuKkEsoExLhISI7Uuz8Hjia7g0yJWfYjEjAWLcFpan/QmhwcP
+4PMg+2ZuPC0uUoXqCMBqu3d0NAaae4cOCzx8WCZUaaF3DwhRnUcld+XesV/h3SNo
+kn3ygFyOVWrCd7bSsEd00qqUwUN/cp/uYTqlbI9im89Emaa7/mYR/i3sq2/MRagr
+2oio8OdZ8wwRuER4Jpq9
+=PC1V
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-15:16.openssh.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:16.openssh.asc Tue Jul 28 20:17:10 2015 (r47125)
@@ -0,0 +1,188 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:16.openssh Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSH multiple vulnerabilities
+
+Category: contrib
+Module: openssh
+Announced: 2015-07-28
+Affects: All supported versions of FreeBSD.
+Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
+ 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
+ 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
+ 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
+ 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
+ 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
+ 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
+ 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
+CVE Name: CVE-2014-2653, CVE-2015-5600
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services,
+including remote shell access.
+
+The security of the SSH connection relies on the server authenticating
+itself to the client as well as the user authenticating itself to the
+server. SSH servers uses host keys to verify their identity.
+
+RFC 4255 has defined a method of verifying SSH host keys using Domain
+Name System Security (DNSSEC), by publishing the key fingerprint using
+DNS with "SSHFP" resource record. RFC 6187 has defined methods to use
+a signature by a trusted certification authority to bind a given public
+key to a given digital identity with X.509v3 certificates.
+
+The PAM (Pluggable Authentication Modules) library provides a flexible
+framework for user authentication and session setup / teardown.
+
+OpenSSH uses PAM for password authentication by default.
+
+II. Problem Description
+
+OpenSSH clients does not correctly verify DNS SSHFP records when a server
+offers a certificate. [CVE-2014-2653]
+
+OpenSSH servers which are configured to allow password authentication
+using PAM (default) would allow many password attempts.
+
+III. Impact
+
+A malicious server may be able to force a connecting client to skip DNS
+SSHFP record check and require the user to perform manual host verification
+of the host key fingerprint. This could allow man-in-the-middle attack
+if the user does not carefully check the fingerprint. [CVE-2014-2653]
+
+A remote attacker may effectively bypass MaxAuthTries settings, which would
+enable them to brute force passwords. [CVE-2015-5600]
+
+IV. Workaround
+
+Systems that do not use OpenSSH are not affected.
+
+There is no workaround for CVE-2014-2653, but the problem only affects
+networks where DNSsec and SSHFP is properly configured. Users who uses
+SSH should always check server host key fingerprints carefully when
+prompted.
+
+System administrators can set:
+
+ UsePAM no
+
+In their /etc/ssh/sshd_config and restart sshd service to workaround the
+problem described as CVE-2015-5600 at expense of losing features provided
+by the PAM framework.
+
+We recommend system administrators to disable password based authentication
+completely, and use key based authentication exclusively in their SSH server
+configuration, when possible. This would eliminate the possibility of being
+ever exposed to password brute force attack.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+SSH service has to be restarted after the update. A reboot is recommended
+but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+SSH service has to be restarted after the update. A reboot is recommended
+but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.3, 10.1, 10.2]
+# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc
+# gpg --verify openssh.patch.asc
+
+[FreeBSD 8.4]
+# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc
+# gpg --verify openssh-8.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the SSH service, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r285977
+releng/8.4/ r285980
+stable/9/ r285977
+releng/9.3/ r285980
+stable/10/ r285976
+releng/10.1/ r285979
+releng/10.2/ r285978
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnPxEQAIFMhBzUuAEEeG3GoO6o6DQn
+7ZVPdd+EdijDk0VAZbaa3NyeVGTNSEQhjpL/lSkIQUQT+yEAUUsUCVWu0T8OpCN0
+UT6JlYhV+AwQVyWujlTjspQ3Ba3Kn3o76MCzvdIQWPTzD1yCZqRmpZ1eSjonmySZ
+ts+kVDCV2ZJyWACOdG2GXHSmTraIErn0J1YaLg++c8nHUvb+TNo2/8viBGJINhdP
+bvA6fzYPpAzgaq5EEKevySLUnUfUE2Nx5LGD2CUx/hMu7K8y2h4SR2fKmpyBauNS
+4VHSssX6KjxZCYctCEsUgCokWYzt9fepyBsCiS9Vx4mTwat8Vuiz2zB1lCOwM97v
+iDbkcmR/ixElrXSBb5+wrhOpBLnYtHFTNPx8dRz39wdb1MxJQqyOOb8KtDSlFMmQ
+l5Lk1vTEcZQjWvmCV9XjVlPqcHnX4wNnV+IgUnQTnhQlbe0YgszdLAi5XZDGBmtA
+DHuLfBy1091KYBoP641GRuldsq6/r6DUzyZuQJ+p30BDUEfkUAptIEnQWA2l3Y8W
+/10eels29WJhV9N7WWo4pbADA54+DLvi0T/46R9WRbM9bA/dsqK9G5wmREaKCqmX
+ccQUFrruxJTn7TV4QbN69ABEkOFCyQjqecP2GqA2N/5AAUsV47WC/VtKgOPp4FZ6
+E0SkAoNzIighyNk54U9p
+=6PBw
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-15:17.bind.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:17.bind.asc Tue Jul 28 20:17:10 2015 (r47125)
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:17.bind Security Advisory
+ The FreeBSD Project
+
+Topic: BIND remote denial of service vulnerability
+
+Category: contrib
+Module: bind
+Announced: 2015-07-28
+Credits: ISC
+Affects: FreeBSD 8.x and FreeBSD 9.x.
+Corrected: 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
+ 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
+ 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
+ 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
+CVE Name: CVE-2015-5477
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+II. Problem Description
+
+An error in the handling of TKEY queries can be exploited by an attacker
+for use as a denial-of-service vector, as a constructed packet can use
+the defect to trigger a REQUIRE assertion failure, causing BIND to exit.
+
+III. Impact
+
+A remote attacker can trigger a crash of a name server. Both recursive and
+authoritative servers are affected, and the exposure can not be mitigated
+by either ACLs or configuration options limiting or denying service because
+the exploitable code occurs early in the packet handling, before checks
+enforcing those boundaries.
+
+IV. Workaround
+
+No workaround is available, but systems that are not running BIND are not
+vulnerable.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The named service has to be restarted after the update. A reboot is
+recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The named service has to be restarted after the update. A reboot is
+recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch.asc
+# gpg --verify bind.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r285977
+releng/8.4/ r285980
+stable/9/ r285977
+releng/9.3/ r285980
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://kb.isc.org/article/AA-01272>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:17.bind.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnmAQQAK66bHEYirTecgswG+eiePfU
+lcX46GdLU/OQ/3MHpmc6XQKz9kpJ+Inh8K8IvAJ1SXH41zk/xOtUgqbkUcgkGrS1
+gBVKUC8SF82ll/1FUlORoJc+g+TQgax00Il/GweRVoL0RpU9S/YSnc6OLc0nWzBq
+osweYaHBNRL6lBmUtAHYu1tyvGvHLlfTNk6NCtUxtWeXKe+urYFx4ViJKCU8dJ+U
+F26nQb/3vH93WOEaNjSDHYWypl9qtous5hpOtXr76ofhID67EyOKmPPEC5+6jP/6
+wkdMu7loVewI5K7ZF+zaNxr8CQESurCRkMX3qJSBNCfSw55sdcfKl4BO65SCxLH7
+vXoh+B+Wbof2n3xAcEJNufOdiRQfTxlP1UMWIy00wvdB+VcOCDdD7TUB1kksxzpy
+aXxePRdKLjvkPDiWy17BBpxq8JIfy+41a+N7Fm/hDgUJOYGDAMr27WJLx8MHzY3k
++B014IVvTnHkf0yo5ue5raTpgUr0TVCfwD3eqJOM9iUuOI8vj9h44FpP6R8KNyQA
+mVI/wikVJfYAgmAkHqqRVEHeA8aWJsVNkmrKLHFDkLDdw6umr7oOHfXQo1hk7k7V
++2JEa09kp2AYNGYZkiFG/7jiCZ9GLCvAzKW1v1g8fRsBl+QA1PjW0Rg7HcRmZiwM
+VfNsARSWl2y/t8Gnrfgx
+=40iD
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-15:14/bsdpatch.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:14/bsdpatch.patch Tue Jul 28 20:17:10 2015 (r47125)
@@ -0,0 +1,188 @@
+Index: usr.bin/patch/common.h
+===================================================================
+--- usr.bin/patch/common.h (revision 285926)
++++ usr.bin/patch/common.h (working copy)
+@@ -43,12 +43,10 @@
+ #define LINENUM_MAX LONG_MAX
+
+ #define SCCSPREFIX "s."
+-#define GET "get -e %s"
+-#define SCCSDIFF "get -p %s | diff - %s >/dev/null"
+
+ #define RCSSUFFIX ",v"
+-#define CHECKOUT "co -l %s"
+-#define RCSDIFF "rcsdiff %s > /dev/null"
++#define CHECKOUT "/usr/bin/co"
++#define RCSDIFF "/usr/bin/rcsdiff"
+
+ #define ORIGEXT ".orig"
+ #define REJEXT ".rej"
+Index: usr.bin/patch/inp.c
+===================================================================
+--- usr.bin/patch/inp.c (revision 285926)
++++ usr.bin/patch/inp.c (working copy)
+@@ -31,8 +31,10 @@
+ #include <sys/file.h>
+ #include <sys/stat.h>
+ #include <sys/mman.h>
++#include <sys/wait.h>
+
+ #include <ctype.h>
++#include <errno.h>
+ #include <libgen.h>
+ #include <stddef.h>
+ #include <stdint.h>
+@@ -133,12 +135,14 @@ reallocate_lines(size_t *lines_allocated)
+ static bool
+ plan_a(const char *filename)
+ {
+- int ifd, statfailed;
++ int ifd, statfailed, devnull, pstat;
+ char *p, *s, lbuf[INITLINELEN];
+ struct stat filestat;
+ ptrdiff_t sz;
+ size_t i;
+ size_t iline, lines_allocated;
++ pid_t pid;
++ char *argp[4] = {NULL};
+
+ #ifdef DEBUGGING
+ if (debug & 8)
+@@ -166,13 +170,14 @@ plan_a(const char *filename)
+ }
+ if (statfailed && check_only)
+ fatal("%s not found, -C mode, can't probe further\n", filename);
+- /* For nonexistent or read-only files, look for RCS or SCCS versions. */
++ /* For nonexistent or read-only files, look for RCS versions. */
++
+ if (statfailed ||
+ /* No one can write to it. */
+ (filestat.st_mode & 0222) == 0 ||
+ /* I can't write to it. */
+ ((filestat.st_mode & 0022) == 0 && filestat.st_uid != getuid())) {
+- const char *cs = NULL, *filebase, *filedir;
++ char *filebase, *filedir;
+ struct stat cstat;
+ char *tmp_filename1, *tmp_filename2;
+
+@@ -180,43 +185,26 @@ plan_a(const char *filename)
+ tmp_filename2 = strdup(filename);
+ if (tmp_filename1 == NULL || tmp_filename2 == NULL)
+ fatal("strdupping filename");
++
+ filebase = basename(tmp_filename1);
+ filedir = dirname(tmp_filename2);
+
+- /* Leave room in lbuf for the diff command. */
+- s = lbuf + 20;
+-
+ #define try(f, a1, a2, a3) \
+- (snprintf(s, buf_size - 20, f, a1, a2, a3), stat(s, &cstat) == 0)
++ (snprintf(lbuf, sizeof(lbuf), f, a1, a2, a3), stat(lbuf, &cstat) == 0)
+
+- if (try("%s/RCS/%s%s", filedir, filebase, RCSSUFFIX) ||
+- try("%s/RCS/%s%s", filedir, filebase, "") ||
+- try("%s/%s%s", filedir, filebase, RCSSUFFIX)) {
+- snprintf(buf, buf_size, CHECKOUT, filename);
+- snprintf(lbuf, sizeof lbuf, RCSDIFF, filename);
+- cs = "RCS";
+- } else if (try("%s/SCCS/%s%s", filedir, SCCSPREFIX, filebase) ||
+- try("%s/%s%s", filedir, SCCSPREFIX, filebase)) {
+- snprintf(buf, buf_size, GET, s);
+- snprintf(lbuf, sizeof lbuf, SCCSDIFF, s, filename);
+- cs = "SCCS";
+- } else if (statfailed)
+- fatal("can't find %s\n", filename);
+-
+- free(tmp_filename1);
+- free(tmp_filename2);
+-
+ /*
+ * else we can't write to it but it's not under a version
+ * control system, so just proceed.
+ */
+- if (cs) {
++ if (try("%s/RCS/%s%s", filedir, filebase, RCSSUFFIX) ||
++ try("%s/RCS/%s%s", filedir, filebase, "") ||
++ try("%s/%s%s", filedir, filebase, RCSSUFFIX)) {
+ if (!statfailed) {
+ if ((filestat.st_mode & 0222) != 0)
+ /* The owner can write to it. */
+ fatal("file %s seems to be locked "
+- "by somebody else under %s\n",
+- filename, cs);
++ "by somebody else under RCS\n",
++ filename);
+ /*
+ * It might be checked out unlocked. See if
+ * it's safe to check out the default version
+@@ -224,21 +212,59 @@ plan_a(const char *filename)
+ */
+ if (verbose)
+ say("Comparing file %s to default "
+- "%s version...\n",
+- filename, cs);
+- if (system(lbuf))
++ "RCS version...\n", filename);
++
++ switch (pid = fork()) {
++ case -1:
++ fatal("can't fork: %s\n",
++ strerror(errno));
++ case 0:
++ devnull = open("/dev/null", O_RDONLY);
++ if (devnull == -1) {
++ fatal("can't open /dev/null: %s",
++ strerror(errno));
++ }
++ (void)dup2(devnull, STDOUT_FILENO);
++ argp[0] = strdup(RCSDIFF);
++ argp[1] = strdup(filename);
++ execv(RCSDIFF, argp);
++ exit(127);
++ }
++ pid = waitpid(pid, &pstat, 0);
++ if (pid == -1 || WEXITSTATUS(pstat) != 0) {
+ fatal("can't check out file %s: "
+- "differs from default %s version\n",
+- filename, cs);
++ "differs from default RCS version\n",
++ filename);
++ }
+ }
++
+ if (verbose)
+- say("Checking out file %s from %s...\n",
+- filename, cs);
+- if (system(buf) || stat(filename, &filestat))
+- fatal("can't check out file %s from %s\n",
+- filename, cs);
++ say("Checking out file %s from RCS...\n",
++ filename);
++
++ switch (pid = fork()) {
++ case -1:
++ fatal("can't fork: %s\n", strerror(errno));
++ case 0:
++ argp[0] = strdup(CHECKOUT);
++ argp[1] = strdup("-l");
++ argp[2] = strdup(filename);
++ execv(CHECKOUT, argp);
++ exit(127);
++ }
++ pid = waitpid(pid, &pstat, 0);
++ if (pid == -1 || WEXITSTATUS(pstat) != 0 ||
++ stat(filename, &filestat)) {
++ fatal("can't check out file %s from RCS\n",
++ filename);
++ }
++ } else if (statfailed) {
++ fatal("can't find %s\n", filename);
+ }
++ free(tmp_filename1);
++ free(tmp_filename2);
+ }
++
+ filemode = filestat.st_mode;
+ if (!S_ISREG(filemode))
+ fatal("%s is not a normal file--can't patch\n", filename);
Added: head/share/security/patches/SA-15:14/bsdpatch.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:14/bsdpatch.patch.asc Tue Jul 28 20:17:10 2015 (r47125)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rno1wP/1dqyumvREi7i84Ab2ew+X+x
+YNbhqkhP/Q0+uwF68nbV1StAyuPZ85fSTy//19W0L3YU31vkZgz2B5N6Vl1Walpx
+UGk/6LGm2U8xzRRSOgThSthbUbXI4cAAjxmAuUkgd5br9g8KZo+h9LQNKpv+6Caa
+OCsTKZMwA81ImiOODCvJ9FQy7hQVBSQhssCVEZScU7aR+86FRhNy0a6tHX1Y8dkk
+LLhOJprZgG6JHR9fr+g0fCSjerYWKml4QlgpbXy/Fp3mIYfsnf8K9MaKa3KBLjOZ
+AoggAB/tNA+e9imXy8En/J5aZqMwhjDZNrWHACaDXB9kMrNEE8Nwp3gFMgpURGWf
+NFd8x+5SDv6yG+1xM1X/ywP9mVDQqySactLnGoEF77ANNEFVat9KafbPESckiqa7
+qw83IaO5/9P/IaZik+19SzOsJ9sZGRaco70HfAZA9r/SD+SLc+4U1PAdY0QxGdB6
+n7Ap088KK/GfiIF4ra5AqNDFquEWTPdkVqb+55Lv7eKgg1/S0rm7Ou7Z/lbBQerw
+QIJzcem/KDcPJxM3tkxumqMdzggwUCPtrxB6vDEjLMKSN/33I2iYD47UhP+rFjw5
+cdnrrqVgw0zt+p5vAubJJegk+aVWfy7QRcHaQb/FA5MYkOVKQP69lboa7PX4M+Pn
+EjipG4vadjqdZaYzuBhF
+=fzsn
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-15:15/tcp-8.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:15/tcp-8.patch Tue Jul 28 20:17:10 2015 (r47125)
@@ -0,0 +1,203 @@
+Index: sys/netinet/tcp_reass.c
+===================================================================
+--- sys/netinet/tcp_reass.c (revision 285923)
++++ sys/netinet/tcp_reass.c (working copy)
+@@ -80,29 +80,25 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
+ SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
+ "TCP Segment Reassembly Queue");
+
+-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
+-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)
++static int tcp_reass_maxseg = 0;
+ SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, maxsegments,
+ CTLTYPE_INT | CTLFLAG_RDTUN,
+- &VNET_NAME(tcp_reass_maxseg), 0, &tcp_reass_sysctl_maxseg, "I",
++ &tcp_reass_maxseg, 0, &tcp_reass_sysctl_maxseg, "I",
+ "Global maximum number of TCP Segments in Reassembly Queue");
+
+-static VNET_DEFINE(int, tcp_reass_qsize) = 0;
+-#define V_tcp_reass_qsize VNET(tcp_reass_qsize)
+-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
++static int tcp_reass_qsize = 0;
++SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
+ CTLTYPE_INT | CTLFLAG_RD,
+- &VNET_NAME(tcp_reass_qsize), 0, &tcp_reass_sysctl_qsize, "I",
++ &tcp_reass_qsize, 0, &tcp_reass_sysctl_qsize, "I",
+ "Global number of TCP Segments currently in Reassembly Queue");
+
+-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
+-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)
+-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
++static int tcp_reass_overflows = 0;
++SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
+ CTLTYPE_INT | CTLFLAG_RD,
+- &VNET_NAME(tcp_reass_overflows), 0,
++ &tcp_reass_overflows, 0,
+ "Global number of TCP Segment Reassembly Queue Overflows");
+
+-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
+-#define V_tcp_reass_zone VNET(tcp_reass_zone)
++static uma_zone_t tcp_reass_zone;
+
+ /* Initialize TCP reassembly queue */
+ static void
+@@ -109,34 +105,25 @@ static void
+ tcp_reass_zone_change(void *tag)
+ {
+
+- V_tcp_reass_maxseg = nmbclusters / 16;
+- uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg);
++ tcp_reass_maxseg = nmbclusters / 16;
++ uma_zone_set_max(tcp_reass_zone, tcp_reass_maxseg);
+ }
+
+ void
+-tcp_reass_init(void)
++tcp_reass_global_init(void)
+ {
+
+- V_tcp_reass_maxseg = nmbclusters / 16;
++ tcp_reass_maxseg = nmbclusters / 16;
+ TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
+- &V_tcp_reass_maxseg);
+- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
++ &tcp_reass_maxseg);
++ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
+ NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+- uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg);
++ uma_zone_set_max(tcp_reass_zone, tcp_reass_maxseg);
+ EVENTHANDLER_REGISTER(nmbclusters_change,
+ tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
+ }
+
+-#ifdef VIMAGE
+ void
+-tcp_reass_destroy(void)
+-{
+-
+- uma_zdestroy(V_tcp_reass_zone);
+-}
+-#endif
+-
+-void
+ tcp_reass_flush(struct tcpcb *tp)
+ {
+ struct tseg_qent *qe;
+@@ -146,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
+ while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
+ LIST_REMOVE(qe, tqe_q);
+ m_freem(qe->tqe_m);
+- uma_zfree(V_tcp_reass_zone, qe);
++ uma_zfree(tcp_reass_zone, qe);
+ tp->t_segqlen--;
+ }
+
+@@ -158,7 +145,7 @@ tcp_reass_flush(struct tcpcb *tp)
+ static int
+ tcp_reass_sysctl_maxseg(SYSCTL_HANDLER_ARGS)
+ {
+- V_tcp_reass_maxseg = uma_zone_get_max(V_tcp_reass_zone);
++ tcp_reass_maxseg = uma_zone_get_max(tcp_reass_zone);
+ return (sysctl_handle_int(oidp, arg1, arg2, req));
+ }
+
+@@ -165,7 +152,7 @@ tcp_reass_sysctl_maxseg(SYSCTL_HANDLER_ARGS)
+ static int
+ tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
+ {
+- V_tcp_reass_qsize = uma_zone_get_cur(V_tcp_reass_zone);
++ tcp_reass_qsize = uma_zone_get_cur(tcp_reass_zone);
+ return (sysctl_handle_int(oidp, arg1, arg2, req));
+ }
+
+@@ -213,7 +200,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ */
+ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+- V_tcp_reass_overflows++;
++ tcp_reass_overflows++;
+ TCPSTAT_INC(tcps_rcvmemdrop);
+ m_freem(m);
+ *tlenp = 0;
+@@ -232,7 +219,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ * Use a temporary structure on the stack for the missing segment
+ * when the zone is exhausted. Otherwise we may get stuck.
+ */
+- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-head
mailing list