Add two latest advisories:

Fix Denial of Service vulnerability in named(8). [13:07]

  Fix a bug that allows remote client bypass the normal
  access checks when when -network or -host restrictions are
  used at the same time with -mapall. [13:08]

share/security/advisories/FreeBSD-SA-13:07.bind.asc

@@ -0,0 +1,121 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-13:07.bind                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          BIND remote denial of service
+
+Category:       contrib
+Module:         bind
+Announced:      2013-07-26
+Credits:        Maxim Shudrak and the HP Zero Day Initiative, ISC
+Affects:        FreeBSD 8.4-RELEASE and FreeBSD 9.x
+Corrected:      2013-07-26 22:53:17 UTC (stable/8, 8.4-STABLE)
+                2013-07-26 22:40:17 UTC (releng/8.4, 8.4-RELEASE-p2)
+                2013-07-26 22:43:09 UTC (stable/9, 9.2-BETA2)
+                2013-07-26 22:40:23 UTC (releng/9.1, 9.1-RELEASE-p5)
+CVE Name:       CVE-2013-4854
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.  The libdns
+library is a library of DNS protocol support functions.
+
+II.  Problem Description
+
+Due to a software defect a specially crafted query which includes
+malformed rdata, could cause named(8) to crash with an assertion
+failure and rejecting the malformed query.  This issue affects both
+recursive and authoritative-only nameservers.
+
+III. Impact
+
+An attacker who can send a specially crafted query could cause named(8)
+to crash, resulting in a denial of service.
+
+IV.  Workaround
+
+No workaround is available, but systems not running the named(8) service
+and not using the base system DNS utilities are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-13:07/bind.patch
+# fetch http://security.FreeBSD.org/patches/SA-13:07/bind.patch.asc
+# gpg --verify bind.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the named daemon, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r253696
+releng/8.4/                                                       r253692
+stable/9/                                                         r253695
+releng/9.1/                                                       r253693
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing XXXXXX with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing XXXXXX with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=XXXXXX>
+
+VII. References
+
+https://kb.isc.org/article/AA-01015
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4854>
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-13:07.bind.asc
+-----BEGIN PGP SIGNATURE-----
+
+iEYEARECAAYFAlHzPpMACgkQFdaIBMps37Jb2ACdFqaNTTBFiOCuz30MJ5s85UVd
+MzoAn2ebCjqULwyEbJaeTlck87NPfQWR
+=RFf2
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-13:08.nfsserver.asc

@@ -0,0 +1,120 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-13:08.nfsserver                                  Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Incorrect privilege validation in the NFS server
+
+Category:       core
+Module:         nfsserver
+Announced:      2013-07-26
+Credits:        Rick Macklem, Christopher Key, Tim Zingelman
+Affects:        FreeBSD 8.3, FreeBSD 9.0 and FreeBSD 9.1
+Corrected:      2012-12-28 14:06:49 UTC (stable/9, 9.2-BETA2)
+                2013-07-26 22:40:23 UTC (releng/9.1, 9.1-RELEASE-p5)
+                2013-01-06 01:11:45 UTC (stable/8, 8.3-STABLE)
+                2013-07-26 22:40:29 UTC (releng/8.3, 8.3-RELEASE-p9)
+CVE Name:       CVE-2013-4851
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The Network File System (NFS) allows a host to export some or all of its
+file systems so that other hosts can access them over the network and mount
+them as if they were on local disks.  FreeBSD includes both server and client
+implementations of NFS.
+
+II.  Problem Description
+
+The kernel incorrectly uses client supplied credentials instead of the one
+configured in exports(5) when filling out the anonymous credential for a
+NFS export, when -network or -host restrictions are used at the same time.
+
+III. Impact
+
+The remote client may supply privileged credentials (e.g. the root user)
+when accessing a file under the NFS share, which will bypass the normal
+access checks.
+
+IV.  Workaround
+
+Systems that do not provide the NFS service are not vulnerable.  Systems that
+do provide the NFS service are only vulnerable when -mapall or -maproot is
+used in combination with network and/or host restrictions.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-13:08/nfsserver.patch
+# fetch http://security.FreeBSD.org/patches/SA-13:08/nfsserver.patch.asc
+# gpg --verify nfsserver.patch.asc
+
+b) Apply the patch.
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r245086
+releng/8.3/                                                       r253694
+stable/9/                                                         r244772
+releng/9.1/                                                       r253693
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing XXXXXX with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing XXXXXX with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=XXXXXX>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4851>
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-13:08.nfsserver.asc
+-----BEGIN PGP SIGNATURE-----
+
+iEYEARECAAYFAlHzPrkACgkQFdaIBMps37I9YACfSu4orRhgOhol8vacW9kF3ZGP
+jtAAn0t2i14CMo1MT5MztI6RWX3hnUWZ
+=xjf/
+-----END PGP SIGNATURE-----

share/security/patches/SA-13:07/bind.patch

@@ -0,0 +1,13 @@
+Index: contrib/bind9/lib/dns/rdata/generic/keydata_65533.c
+===================================================================
+--- contrib/bind9/lib/dns/rdata/generic/keydata_65533.c	(revision 253461)
++++ contrib/bind9/lib/dns/rdata/generic/keydata_65533.c	(working copy)
+@@ -176,7 +176,7 @@
+ 	UNUSED(options);
+ 
+ 	isc_buffer_activeregion(source, &sr);
+-	if (sr.length < 4)
++	if (sr.length < 16)
+ 		return (ISC_R_UNEXPECTEDEND);
+ 
+ 	isc_buffer_forward(source, sr.length);

share/security/patches/SA-13:07/bind.patch.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iEYEABECAAYFAlHzPqUACgkQFdaIBMps37IIPgCgioXGAf1PRyZ0mSeCktSzxFeY
+l+4An0YlRzZ8Xbt+CgxwIwyvGjLYpy9q
+=tbCD
+-----END PGP SIGNATURE-----

share/security/patches/SA-13:08/nfsserver.patch

@@ -0,0 +1,13 @@
+Index: sys/kern/vfs_export.c
+===================================================================
+--- sys/kern/vfs_export.c	(revision 253367)
++++ sys/kern/vfs_export.c	(working copy)
+@@ -208,7 +208,7 @@
+ 	np->netc_anon = crget();
+ 	np->netc_anon->cr_uid = argp->ex_anon.cr_uid;
+ 	crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups,
+-	    np->netc_anon->cr_groups);
++	    argp->ex_anon.cr_groups);
+ 	np->netc_anon->cr_prison = &prison0;
+ 	prison_hold(np->netc_anon->cr_prison);
+ 	np->netc_numsecflavors = argp->ex_numsecflavors;

share/security/patches/SA-13:08/nfsserver.patch.asc

@@ -0,0 +1,22 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+Index: sys/kern/vfs_export.c
+===================================================================
+- --- sys/kern/vfs_export.c	(revision 253367)
++++ sys/kern/vfs_export.c	(working copy)
+@@ -208,7 +208,7 @@
+ 	np->netc_anon = crget();
+ 	np->netc_anon->cr_uid = argp->ex_anon.cr_uid;
+ 	crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups,
+- -	    np->netc_anon->cr_groups);
++	    argp->ex_anon.cr_groups);
+ 	np->netc_anon->cr_prison = &prison0;
+ 	prison_hold(np->netc_anon->cr_prison);
+ 	np->netc_numsecflavors = argp->ex_numsecflavors;
+-----BEGIN PGP SIGNATURE-----
+
+iEYEARECAAYFAlHzPsQACgkQFdaIBMps37J36gCgglvXt5i1cg/+gvs4mHyJ+mrj
+tesAn1Qli/x2FjqbQ++FPs8qF2Sc7Rxs
+=kdhf
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -7,6 +7,23 @@
   <year>
     <name>2013</name>
 
+    <month>
+      <name>7</name>
+
+      <day>
+	<name>26</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-13:07.bind</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-13:08.nfsserver</name>
+	</advisory>
+      </day>
+
+    </month>
+
     <month>
       <name>6</name>