svn commit: r48424 - in head/share: security/advisories security/patches/EN-16:04 security/patches/EN-16:05 security/patches/SA-16:14 security/patches/SA-16:15 xml
Gleb Smirnoff
glebius at FreeBSD.org
Wed Mar 16 23:10:16 UTC 2016
Author: glebius (src committer)
Date: Wed Mar 16 23:10:13 2016
New Revision: 48424
URL: https://svnweb.freebsd.org/changeset/doc/48424
Log:
Document today updates:
FreeBSD-16:04.hyperv
FreeBSD-16:05.hv_netvsc
FreeBSD-SA-16:14.openssh
FreeBSD-SA-16:15.sysarch
Added:
head/share/security/advisories/FreeBSD-16:04.hyperv.asc (contents, props changed)
head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-16:14.openssh.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc (contents, props changed)
head/share/security/patches/EN-16:04/
head/share/security/patches/EN-16:04/hyperv.patch (contents, props changed)
head/share/security/patches/EN-16:04/hyperv.patch.asc (contents, props changed)
head/share/security/patches/EN-16:05/
head/share/security/patches/EN-16:05/hv_netvsc.patch (contents, props changed)
head/share/security/patches/EN-16:05/hv_netvsc.patch.asc (contents, props changed)
head/share/security/patches/SA-16:14/
head/share/security/patches/SA-16:14/openssh-xauth.patch (contents, props changed)
head/share/security/patches/SA-16:14/openssh-xauth.patch.asc (contents, props changed)
head/share/security/patches/SA-16:15/
head/share/security/patches/SA-16:15/sysarch.patch (contents, props changed)
head/share/security/patches/SA-16:15/sysarch.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
head/share/xml/notices.xml
Added: head/share/security/advisories/FreeBSD-16:04.hyperv.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-16:04.hyperv.asc Wed Mar 16 23:10:13 2016 (r48424)
@@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:04.hyperv Errata Notice
+ The FreeBSD Project
+
+Topic: Hyper-V KVP (Key-Value Pair) daemon indefinite sleep
+
+Category: core
+Module: hyperv
+Announced: 2016-03-16
+Credits: Microsoft Open Source Technology Center(OSTC)
+Affects: FreeBSD 10.x
+Corrected: 2015-12-18 14:52:12 UTC (stable/10, 10.2-STABLE)
+ 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
+ 2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Hyper-V is a native hypervisor running on Windows operating system. It can
+run FreeBSD 10.x as guest in virtual machine.
+
+Data Exchange is an integration service, also known as a key-value pair or
+KVP, that can be used to share information between virtual machines and the
+Hyper-V host. For more information, see
+<URL:https://technet.microsoft.com/en-us/library/dn798287.aspx>.
+
+II. Problem Description
+
+The KVP driver code doesn't implement the KVP device's .d_poll callback
+correctly: when there is no data available to the user-mode KVP daemon, the
+driver forgets to remember the daemon and wake up the daemon later. As a
+result, the daemon can't be woken up in a predictable period of time, and
+the host side's KVP query can hang for an unexpected period of time and get
+timeout, and finally the host can think the VM is irresponsive or unhealthy.
+
+III. Impact
+
+When a FreeBSD 10.x virtual machine runs on Hyper-V, the host may not get the
+expected response of a KVP query. When a virtual machine runs on Azure, the
+host may try to recover the "irresponsive" virtual machine by killing it and
+starting it later, causing unnecessary virtual machine downtime.
+
+IV. Workaround
+
+Don't run the KVP daemon on a virtual machine. With this, the host will know
+that KVP functionality is not working at all, so the host won't try to send KVP
+query to virtual machine.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. Reboot is required.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Reboot is required.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:04/hyperv.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:04/hyperv.patch.asc
+# gpg --verify hyperv.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r292438
+releng/10.1/ r296954
+releng/10.2/ r296955
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://technet.microsoft.com/en-us/library/dn798287.aspx>.
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:04.hyperv.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJW6eQmAAoJEO1n7NZdz2rnq+sQAOOnGB826xMwM5xW7a2rnOKV
+SDPzC0XXkHhRltJWSaIBi+nhKusMQcuYEaZDG8P5pvugpJfBPDhv2THu9ofEhvB4
+88iT4sFOKi20iXJxrZQM5UT9tPaDoWUCQ9isr4HseotF5Hda4onplGK3/VXq3xGF
+tGjgOfnHbhQbXAf7JZwCfjUeIyYYY2VGBscSwDF/AS0Z9vUEudNKnPEZcC5V19LJ
+8vZHjknNpchklnaT0UFZwrpFEgpmSU5rtYlH6FbfWYbspqRjEk1Ia2wkasB9im2z
+v2vc+qNOqgOMATgatix0yqzXnBkOqi+5ra0MUipXG89l3Yxvekv0mvqQFYRWN7MN
+fjPOnP9i2hjoKbbPEArEmYffOFMjxrOTgzLYVxXntOTUFMgGcUXltgjlo/Ov4Fm0
+CfDIDUBlyPlDkemPYiaRinyLim4M3TOll2M6ucnonFuE//sLfU/DEnlz8pf+yJg3
+jeJ7Pi6YKe+YUrTj2kL8shoPWjg00oHCIZua9nFhdHwNURX5XuoPlf84qxeSmumL
+lbQ8Dq82zkECJmJe7fGshUyPGlXqN+ValGYtZkuQwS/vq1cxRomvO1naZQDqJuVA
+Z15SW63CnsFIYJvK0Dd0v0i3Nw0WYHRRJ5nFo18WIzHs2FZguib1wqiN6D1oRnrH
+0YgK0KZFzwWufB7YB0TG
+=4BjO
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-16:05.hv_netvsc.asc Wed Mar 16 23:10:13 2016 (r48424)
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:05.hv_netvsc Errata Notice
+ The FreeBSD Project
+
+Topic: hv_netvsc(4) incorrect TCP/IP checksums
+
+Category: core
+Module: hyperv
+Announced: 2016-03-16
+Credits: Larry Baird
+Affects: FreeBSD 10.2
+Corrected: 2015-12-18 14:56:49 UTC (stable/10, 10.2-STABLE)
+ 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Hyper-V is a native hypervisor running on Windows operating system. It can
+run FreeBSD 10.x as guest in virtual machine.
+
+When FreeBSD guest runs on Hyper-V, to get the best network performance,
+it usually uses the Hyper-V synthetic network device. The driver of the
+network device is called hv_netvsc(4). Since FreeBSD 10.2-RELEASE the
+driver supports TCP segmentation and TCP/IP checksum offloading.
+
+II. Problem Description
+
+Together with the TCP segmentation and TCP/IP checksum offloading a regression
+was introduced. The driver checked the inbound checksum flags when deciding
+whether to process checksums or not, while it should have checked the outbound
+flags only.
+
+III. Impact
+
+If the guest running on Hyper-V is configured as a gateway, the host will
+silently drop certain packets from the guest.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. Reboot is required.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Reboot is required.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:05/hv_netvsc.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:05/hv_netvsc.patch.asc
+# gpg --verify hv_netvsc.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r292439
+releng/10.2/ r296955
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203630>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:05.hv_netvsc.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJW6eQyAAoJEO1n7NZdz2rnOdQQANX3NYcoY1uMJEJcOMgfKp52
+OUKUriPdJjEr94Yq/QSGaIp5WyZ5O/hu89LI45DlJMHGxQYJrpQuM1Cyf2QS770u
+yrmfTkcJpqmwJpr4pOqQuYUHuAXkUsOeOysOO/2ccP7USFWqdWbgLotbq3JAFwIz
+cnPwteAawZ3BZLaDRXgsr9Hhqn5d++YIsYC3mhyGNJJI6LlNG/ihba2Vd8lDu9hv
+UVv0WW8yfv851jEv/vhCQmhHcHcIAhzZGLn47Shi4s0833icvPeU+Xc/cpL/wifX
+vCPKA53DqdsNCsPQbbfzgCgoxV1iC3zb/4EOUAIpCInS00N4YQeQiJePH7Im56rc
+y6LsccIf1otr8xCuRuWsUVXuzrmtDBKDzE2gwMx+YHAEWl7ObhgM1VYYWoYnwBlr
+g+M2Wynjcj/rSZUpBdtUFFDNhqFlvrFSXDUEl0MbK4IzwtyOQtQfnCjy6kTqr2yB
+czWonmU9tgLtaqkN61b5pBx+jR2oEC4M8HPHuA2LmEKLJrgfePHBIAZ7cPnWaZ4O
+L4uP97MPmZEQggQeED5SLTMl3jJUe52H9XDkN8RV8/P3oA/YXBD4prhg4fYvNKQT
+VR0pWvlnJNmjaupCBWOfJfG1S8+oOfoTNV5/Fq83LVLW0DPKHVmLtQfS5Rs02745
+VnvCDT/XPOCODW1KdsSc
+=vkxR
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-16:14.openssh.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-16:14.openssh.asc Wed Mar 16 23:10:13 2016 (r48424)
@@ -0,0 +1,153 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-16:14.openssh Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSH xauth(1) command injection
+Category: contrib
+Module: OpenSSH
+Announced: 2016-03-16
+Credits:
+Affects: All supported versions of FreeBSD.
+Corrected: 2016-03-12 23:53:20 UTC (stable/10, 10.2-STABLE)
+ 2016-03-14 13:05:13 UTC (releng/10.3, 10.3-RC2)
+ 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
+ 2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31)
+ 2016-03-13 23:50:19 UTC (stable/9, 9.3-STABLE)
+ 2016-03-16 22:30:03 UTC (releng/9.3, 9.3-RELEASE-p39)
+CVE Name: CVE-2016-3115
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services,
+including remote shell access. OpenSSH supports X11 forwarding,
+allowing X11 applications on the server to connect to the client's
+display.
+
+When an X11 forwarding session is established, the OpenSSH daemon runs
+the xauth tool with information provided by the client to create an
+authority file on the server containing information that applications
+need in order to connect to the client's X11 display.
+
+II. Problem Description
+
+Due to insufficient input validation in OpenSSH, a client which has
+permission to establish X11 forwarding sessions to a server can
+piggyback arbitrary shell commands on the data intended to be passed
+to the xauth tool.
+
+III. Impact
+
+An attacker with valid credentials and permission to establish X11
+forwarding sessions can bypass other restrictions which may have been
+placed on their account, for instance using ForceCommand directives in
+the server's configuration file.
+
+IV. Workaround
+
+Disable X11 forwarding globally by adding the following line to
+/etc/ssh/sshd_config, before any Match blocks:
+
+ X11Forwarding no
+
+then either restart the OpenSSH daemon or reboot the system.
+
+Consult the sshd(8) and sshd_config(5) manual pages for additional
+information on how to enable or disable X11 forwarding on a per-user
+or per-key basis.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+then either restart the OpenSSH daemon or reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# service sshd restart
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/SA-16:14/openssh-xauth.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:14/openssh-xauth.patch.asc
+# gpg --verify openssh-xauth.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+d) Either restart the OpenSSH daemon or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r296780
+releng/9.3/ r296953
+stable/10/ r296781
+releng/10.1/ r296954
+releng/10.2/ r296955
+releng/10.3/ r296853
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://www.openssh.com/txt/x11fwd.adv>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3115>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:14.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJW6ePuAAoJEO1n7NZdz2rncF0QAOu5DtldNmqgqr7iwdCguoiB
+wTYAenLBBhbj4SoMeqhGd9p6RfoKtgsjt1Pbw/4XXJOIsgvFezm4GvDHWrHCqp14
+3DIJWTxcXcDkRvnqiqUJSDszeM7BYu7G+q8VXEGl0ObMBWfgfsP42jnemx81bI4e
+W4Y5/idRvE+6yn7ja3qnNFEB8NfBZOYBV27+tTBiKaZgOt52yWQiFuVIE0WDYS/f
+I7Pc5DzMAU5l4bEPRYlniuVKOaGY+JYjbuVW/4af9MU6JYmK3HATtNcAuDi2SsSo
+SIpbJeILtyXTi72LClT/Px1GsQi/OIjiE2/7DOtNODyjPnQlRIoHveaaYBZ+WUks
+A0hEgaxdDLU+SUHcJKmbdu65eCQtrkdS0vquGnlqd2Q1fqQwwE4U1A2tEgbsGZ6R
+fikKBHISZYwhGMkIijy0ImDAD/SzO5UrIsgePM+9PoeGqLRZXKVNCtxaKpA9tO80
+J9MAbLsi7jgzncCGliL6x3m/w6xsJWP//NtyZVF74ydMEh8IuW4n8yrlrZN5cWJa
+2rySvewHvdXwlClFzMrAxwRPEo845xmsIvODMpaZplXaIzqNN46WfkBsPZTBkYR4
+xF/YNQkLSjYpbrv9GLfJtDn2+ny5OYkJ/pWhaiN0r7oeBjnbXLz9Y/4sS1rFyIMR
+OYy+uH7vcQ7RLXfVgahv
+=RZqF
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc Wed Mar 16 23:10:13 2016 (r48424)
@@ -0,0 +1,141 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-16:15.sysarch Security Advisory
+ The FreeBSD Project
+
+Topic: Incorrect argument validation in sysarch(2)
+
+Category: core
+Module: kernel
+Announced: 2016-03-16
+Credits: Core Security
+Affects: All supported versions of FreeBSD.
+Corrected: 2016-03-16 22:35:55 UTC (stable/10, 10.2-STABLE)
+ 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
+ 2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31)
+ 2016-03-16 22:36:02 UTC (stable/9, 9.3-STABLE)
+ 2016-03-16 22:30:03 UTC (releng/9.3, 9.3-RELEASE-p39)
+CVE Name: CVE-2016-1885
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The IA-32 architecture allows programs to define segments, which provides
+based and size-limited view into the program address space. The
+memory-resident processor structure, called Local Descriptor Table,
+usually abbreviated LDT, contains definitions of the segments. Since
+incorrect or malicious segments would breach system integrity, operating
+systems do not provide processes direct access to the LDT, instead
+they provide system calls which allow controlled installation and removal
+of segments.
+
+II. Problem Description
+
+A special combination of sysarch(2) arguments, specify a request to
+uninstall a set of descriptors from the LDT. The start descriptor
+is cleared and the number of descriptors are provided. Due to invalid
+use of a signed intermediate value in the bounds checking during argument
+validity verification, unbound zero'ing of the process LDT and adjacent
+memory can be initiated from usermode.
+
+III. Impact
+
+This vulnerability could cause the kernel to panic. In addition it is
+possible to perform a local Denial of Service against the system by
+unprivileged processes.
+
+IV. Workaround
+
+No workaround is available, but only the amd64 architecture is affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Reboot is required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD platforms can be updated
+via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Reboot is required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc
+# gpg --verify sysarch.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r296958
+releng/9.3/ r296953
+stable/10/ r296957
+releng/10.1/ r296954
+releng/10.2/ r296955
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1885>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:15.sysarch.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJW6eO/AAoJEO1n7NZdz2rn0UMP/iU/orN0P6+Rsj9hY2B6M0VS
+H6CMMVvketkIIWl9oKX9D/G0g/HyD8uFy06qL2OBz+h99h1oaF5ELl4G6TkF69Ra
+yOKrLcWnyi3eWLUaPvGkrLakVpG0+pU3QRvBT+d0nsTarOMPq+nhooarMfAluF3p
+c3bXEjzn/lTA5T0zTcGS2o9IgORvYrKRIGW0KJDsCWsDgVyWngsJAJdIrzwx022Q
+ENoIGmgLnYsx7TY1cuMtdb3TVyJsZv8zjrrmcLzw67Vly7wShs22CKK23ydDDyy9
+xFYsbWA+X8CarV2uSk8xJCIbWjJSlfc9XvOlHLZEiT7PNCZIk2c2fNLENxHvyNl1
+vgIUBoD/wzzS5QqdnT4r726aQt3pNezns1NDxujwUovVn5nQaXnKOTJHsOthDJ99
+PakEMa93iZqOfzbVouBIBH1IPgNLHof9Jdq3wYiKhrQVJXRespdpCfh3/wdph9LB
+ElBOTlrCcShV+N6deO4KI2wNK5h704D4hOMsqlInLwGQmGi7qa4ouWASgzQQmU/8
+6va3mJsgCvzHUpRCMQo7pIZm6SnOIYLdg7S4vV7P6q5oOIBnjFa8bK/Cq+zOR42e
+gJs9ou65JTTC0KG+26wXaD2Wx8uriO/+ZfCT/YM29FUUqIdayqHxhACjF0lkY83P
+02CAQXURVoI7kbjHaGT7
+=jV9z
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-16:04/hyperv.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-16:04/hyperv.patch Wed Mar 16 23:10:13 2016 (r48424)
@@ -0,0 +1,48 @@
+--- sys/dev/hyperv/utilities/hv_kvp.c.orig
++++ sys/dev/hyperv/utilities/hv_kvp.c
+@@ -44,6 +44,7 @@
+ #include <sys/reboot.h>
+ #include <sys/lock.h>
+ #include <sys/taskqueue.h>
++#include <sys/selinfo.h>
+ #include <sys/sysctl.h>
+ #include <sys/poll.h>
+ #include <sys/proc.h>
+@@ -114,6 +115,8 @@
+ static struct hv_kvp_msg *hv_kvp_dev_buf;
+ struct proc *daemon_task;
+
++static struct selinfo hv_kvp_selinfo;
++
+ /*
+ * Global state to track and synchronize multiple
+ * KVP transaction requests from the host.
+@@ -628,6 +631,9 @@
+
+ /* Send the msg to user via function deamon_read - setting sema */
+ sema_post(&kvp_globals.dev_sema);
++
++ /* We should wake up the daemon, in case it's doing poll() */
++ selwakeup(&hv_kvp_selinfo);
+ }
+
+
+@@ -940,7 +946,7 @@
+ * for daemon to read.
+ */
+ static int
+-hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td __unused)
++hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td)
+ {
+ int revents = 0;
+
+@@ -953,6 +959,9 @@
+ */
+ if (kvp_globals.daemon_busy == true)
+ revents = POLLIN;
++ else
++ selrecord(td, &hv_kvp_selinfo);
++
+ mtx_unlock(&kvp_globals.pending_mutex);
+
+ return (revents);
Added: head/share/security/patches/EN-16:04/hyperv.patch.asc
==============================================================================
Binary file. No diff available.
Added: head/share/security/patches/EN-16:05/hv_netvsc.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-16:05/hv_netvsc.patch Wed Mar 16 23:10:13 2016 (r48424)
@@ -0,0 +1,28 @@
+--- sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c.orig
++++ sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c
+@@ -128,6 +128,15 @@
+ #define HV_NV_SC_PTR_OFFSET_IN_BUF 0
+ #define HV_NV_PACKET_OFFSET_IN_BUF 16
+
++/*
++ * A unified flag for all outbound check sum flags is useful,
++ * and it helps avoiding unnecessary check sum calculation in
++ * network forwarding scenario.
++ */
++#define HV_CSUM_FOR_OUTBOUND \
++ (CSUM_IP|CSUM_IP_UDP|CSUM_IP_TCP|CSUM_IP_SCTP|CSUM_IP_TSO| \
++ CSUM_IP_ISCSI|CSUM_IP6_UDP|CSUM_IP6_TCP|CSUM_IP6_SCTP| \
++ CSUM_IP6_TSO|CSUM_IP6_ISCSI)
+
+ /*
+ * Data types
+@@ -570,7 +579,8 @@
+ packet->vlan_tci & 0xfff;
+ }
+
+- if (0 == m_head->m_pkthdr.csum_flags) {
++ /* Only check the flags for outbound and ignore the ones for inbound */
++ if (0 == (m_head->m_pkthdr.csum_flags & HV_CSUM_FOR_OUTBOUND)) {
+ goto pre_send;
+ }
+
Added: head/share/security/patches/EN-16:05/hv_netvsc.patch.asc
==============================================================================
Binary file. No diff available.
Added: head/share/security/patches/SA-16:14/openssh-xauth.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:14/openssh-xauth.patch Wed Mar 16 23:10:13 2016 (r48424)
@@ -0,0 +1,62 @@
+--- crypto/openssh/session.c.orig
++++ crypto/openssh/session.c
+@@ -46,6 +46,7 @@
+
+ #include <arpa/inet.h>
+
++#include <ctype.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
+@@ -274,6 +275,21 @@
+ do_cleanup(authctxt);
+ }
+
++/* Check untrusted xauth strings for metacharacters */
++static int
++xauth_valid_string(const char *s)
++{
++ size_t i;
++
++ for (i = 0; s[i] != '\0'; i++) {
++ if (!isalnum((u_char)s[i]) &&
++ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
++ s[i] != '-' && s[i] != '_')
++ return 0;
++ }
++ return 1;
++}
++
+ /*
+ * Prepares for an interactive session. This is called after the user has
+ * been successfully authenticated. During this message exchange, pseudo
+@@ -347,7 +363,13 @@
+ s->screen = 0;
+ }
+ packet_check_eom();
+- success = session_setup_x11fwd(s);
++ if (xauth_valid_string(s->auth_proto) &&
++ xauth_valid_string(s->auth_data))
++ success = session_setup_x11fwd(s);
++ else {
++ success = 0;
++ error("Invalid X11 forwarding data");
++ }
+ if (!success) {
+ free(s->auth_proto);
+ free(s->auth_data);
+@@ -2178,7 +2200,13 @@
+ s->screen = packet_get_int();
+ packet_check_eom();
+
+- success = session_setup_x11fwd(s);
++ if (xauth_valid_string(s->auth_proto) &&
++ xauth_valid_string(s->auth_data))
++ success = session_setup_x11fwd(s);
++ else {
++ success = 0;
++ error("Invalid X11 forwarding data");
++ }
+ if (!success) {
+ free(s->auth_proto);
+ free(s->auth_data);
Added: head/share/security/patches/SA-16:14/openssh-xauth.patch.asc
==============================================================================
Binary file. No diff available.
Added: head/share/security/patches/SA-16:15/sysarch.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:15/sysarch.patch Wed Mar 16 23:10:13 2016 (r48424)
@@ -0,0 +1,13 @@
+--- sys/amd64/amd64/sys_machdep.c.orig
++++ sys/amd64/amd64/sys_machdep.c
+@@ -580,8 +580,8 @@
+ struct i386_ldt_args *uap;
+ struct user_segment_descriptor *descs;
+ {
+- int error = 0, i;
+- int largest_ld;
++ int error = 0;
++ unsigned int largest_ld, i;
+ struct mdproc *mdp = &td->td_proc->p_md;
+ struct proc_ldt *pldt;
+ struct user_segment_descriptor *dp;
Added: head/share/security/patches/SA-16:15/sysarch.patch.asc
==============================================================================
Binary file. No diff available.
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Wed Mar 16 20:30:45 2016 (r48423)
+++ head/share/xml/advisories.xml Wed Mar 16 23:10:13 2016 (r48424)
@@ -11,6 +11,18 @@
<name>3</name>
<day>
+ <name>16</name>
+
+ <advisory>
+ <name>FreeBSD-SA-16:15.sysarch</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-16:14.openssh</name>
+ </advisory>
+ </day>
+
+ <day>
<name>10</name>
<advisory>
Modified: head/share/xml/notices.xml
==============================================================================
--- head/share/xml/notices.xml Wed Mar 16 20:30:45 2016 (r48423)
+++ head/share/xml/notices.xml Wed Mar 16 23:10:13 2016 (r48424)
@@ -8,6 +8,22 @@
<name>2016</name>
<month>
+ <name>3</name>
+
+ <day>
+ <name>16</name>
+
+ <notice>
+ <name>FreeBSD-EN-16:05.hv_netvsc</name>
+ </notice>
+
+ <notice>
+ <name>FreeBSD-EN-16:04.hyperv</name>
+ </notice>
+ </day>
+ </month>
+
+ <month>
<name>1</name>
<day>
More information about the svn-doc-head
mailing list