Add EN-15:16 - EN-15:18.

svn path=/head/; revision=47415

share/security/advisories/FreeBSD-EN-15:16.pw.asc

@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:16.pw                                             Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Regression in pw(8) when creating numeric users or groups
+
+Category:       core
+Module:         pw
+Announced:      2015-09-16
+Credits:        Thierry Caillet, Baptiste Daroussin
+Affects:        10.2-RELEASE
+Corrected:      2015-08-23 21:42:27 UTC (stable/10, 10.2-STABLE)
+                2015-09-16 20:59:41 UTC (releng/10.2, 10.2-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I.   Background
+
+The pw(8) utility is used to create, remove, modify, and display system
+users and groups.
+
+II.  Problem Description
+
+The pw(8) utility will fail to create users and groups that only contain
+numeric values [0-9].
+
+III. Impact
+
+An attempt to create a user or group containing only numeric values will
+fail.
+
+IV.  Workaround
+
+No workaround is available, but systems configured to create users or groups
+that do not contain numeric-only names are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-15:26/pw.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:26/pw.patch.asc
+# gpg --verify pw.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+A reboot of the running system is not necessary after installing the updated
+pw(8) utility.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r287084
+releng/10.2/                                                      r287872
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on vulnerability>
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:26.pw.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAEBCgAGBQJV+dpkAAoJEO1n7NZdz2rndhEQAKKeeQnj+Woggr6L1x8R3uTt
+q7ljwpAq2v3bMRQwMg/F3DOivcFAw9fn63u/siZLnZj0oqCCns0UT8ResHL6wMlD
+dVYav/npB/XeJTpqF6kuLKelqrzL+/YnU2lVe7SBQQibdszrn3sZSdeyF/XQrSOg
+Fqpa+xAP4/ZrSQviuyLe1AM1UI4RXVGssxmHO16zQTO+fp3cPmwP/wZ/Dlk/jnwa
+GugIuf/Vc7lzyDCtbOifRLLmiRo3IVoR7temMHEaBsTPClVzb+OHOdiD3aVYL6Vy
+Mp4oFBC7txmfIjDfmZ11EX4OBnCLpx3JEOAMTya0Mvo5PMLoymhu0RoWUyNXX4s7
+ThEjCaUWfEOYIDbP54ZCOrIooCvnjQFcs5MWys6tYO6iOOW96FUu4cV0ez8u+ukS
+Zz1b/TGEgks+/74mMgDO3z1FhGbJeRVFmQUUd+/ZboLIYhTOmop/puHLMpnSV0hY
+C0GSwhUtMD/E3a9AmyMoo9Wj1TySlxAmjb0kHPh0IpY0xPHmfXSJ17+LpGPeEHEj
+LLFRTHBiA/Qs/WJCSMy6XhztRJ2WPomqefhUtrh1mzzeJgQPX2yWRizvTboD0zAA
+yb4U22iuu1gkA7vEaOAW5RFGEKg3cGmHSqB/r0gZ20zazv0//l0Q8Sm0slP53kDs
+K+wCT8FF22Fgy0ZPw831
+=m4lo
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-15:17.libc.asc

@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:17.libc                                           Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          libc incorrectly handles signals for multi-threaded processes
+
+Category:       core
+Module:         libc
+Announced:      2015-09-16
+Credits:        Konstantin Belousov
+Affects:        FreeBSD 10.2
+Corrected:      2015-09-05 08:55:51 UTC (stable/10, 10.2-STABLE)
+                2015-09-16 20:59:41 UTC (releng/10.2, 10.2-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I.   Background
+
+The FreeBSD libc library is the core C runtime library which implements
+the ANSI C, POSIX APIs and BSD extensions for applications on top of the
+FreeBSD kernel.  The internal operations of libc change when the threading
+library is loaded, ensuring service implementations are operational in
+multi-threaded environments, while avoiding unnecessary overhead for
+applications not utilizing threads.  The implementation of some services
+is delegated to the threading library, for instance, the signal management.
+
+II.  Problem Description
+
+Signal-related services, such as signal(3), sigprocmask(2), and sigwait(2)
+are not properly redirected to the threading library implementation when
+used by libc directly.
+
+III. Impact
+
+The full impact of the bug is difficult to enumerate precisely based on the
+nature of the problem, though some visible effects include runtime linker
+hang during signal delivery, and delivery of a signal to the application
+at an unexpected time.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-15:17/libc.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:17/libc.patch.asc
+# gpg --verify libc.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r287480
+releng/10.2/                                                      r287872
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:17.libc.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAEBCgAGBQJV+dppAAoJEO1n7NZdz2rnKb8P/1D1VyY3WoenCbDAx/diaqpf
+yFV5ncQBF2yQ+ADJ9WcGVmVqx4AjP56a2PGZ0YaEG/wUbqrfdzABfA+phr+tIm65
+7QaNcPFSnvtGUH28hXkGT4sf4tpb2H/dD3eGTz4a8Fp8KbDcnYyg0kvOlBo1m7l7
+kfPt0fBH9yn5nf36mI6hD7SsajLnh92pvHG0tIlojDDU34zgrqA408BV7nWM8tvf
+jZxS7dLm0ZXUnlwXohwuESqT+GTsANjIv8pldWLxBAN+0qJ6+ZMvhgknkN9pu42D
+Zi/Hb/C/g6HmeglXbHvAbFzdLLfcduY3B469CuPPYwm7qVmkJvsbsyj+Tq/OtswX
+r50fFALF3LcRVzuRwRXDUciXufw0AdBNMCykl0kfai2r2R1CHvtfGC2bLyZoRk21
+1Kr/uh/eMqBs6OyW14ASfB6jOtjInYnVMYyjNeo75qUYOj7z5ybieNfM5X1kNfs1
+7Qckinr0bW9o2MMAj4bewJ6KkLlN1YAQqa3lx4JipFz/jut/9L1XWzsJMYNT7N7J
+G/qOBGjoH1lF56VvtngOVYTOdsxdZfu0s8KweH8SyzZHsnf7jHeHinp/ECo36hR6
++xQQO01w97xQLlKx5P0uODQb3aXMpfS3SjmSbGuAu60bXw74oMBeLlkSXR3t5DT+
+nw53+Y2BwV4yWz//iacR
+=lA5q
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-15:18.pkg.asc

@@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:18.pkg                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Implement pubkey support for pkg(7) bootstrap
+
+Category:       core
+Module:         pkg
+Announced:      2015-09-16
+Credits:        Baptiste Daroussin
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-09-15 05:56:16 UTC (stable/10, 10.2-STABLE)
+                2015-09-16 20:59:41 UTC (releng/10.2, 10.2-RELEASE-p3)
+                2015-09-16 21:00:21 UTC (releng/10.1, 10.1-RELEASE-p20)
+                2015-09-15 08:34:32 UTC (stable/9, 9.3-STABLE)
+                2015-09-16 21:00:21 UTC (releng/9.3, 9.3-RELEASE-p26)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I.   Background
+
+The pkg(8) utility is the package management tool for FreeBSD.  The base
+system includes a pkg(7) bootstrap utility used to install the latest
+pkg(8) utility.
+
+II.  Problem Description
+
+The pubkey method is not supported by the pkg(7) bootstrap utility.
+Previously, before EN-15:15.pkg, if the system administrator requested
+this method, it is silently ignored and no check is performed.
+
+In EN-15:15.pkg, pkg(7) have been modified to issue warning and refuse
+to proceed any further.
+
+III. Impact
+
+There is no way to use the pubkey method to bootstrap pkg(8) on the
+system.
+
+IV.  Workaround
+
+No workaround is available, but the default FreeBSD configuration is not
+affected because it uses "fingerprint" method.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.x]
+# fetch https://security.FreeBSD.org/patches/EN-15:18/pkg-10.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:18/pkg-10.patch.asc
+# gpg --verify pkg-10.patch.asc
+
+[FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/EN-15:18/pkg-9.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:18/pkg-9.patch.asc
+# gpg --verify pkg-9.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r287814
+releng/9.3/                                                       r287873
+stable/10/                                                        r287810
+releng/10.1/                                                      r287873
+releng/10.2/                                                      r287872
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:18.pkg.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAEBCgAGBQJV+dppAAoJEO1n7NZdz2rn9cUP/0CWVv/p9UJb53HzTjFJTmm3
+WS0eDqvGS9DS9G/QWsYUWqDQY+Sf9kIFpSQFjIxNbhGlxxRyYaU7hrn2fqbxdJvk
+wOlr+7Enui5d9dFLSYKuMfxY5dlyX+Y9WshdH5WI1I4jYrsEPrLc+YeJ7aaQ2QmP
+GbXHl21SenB32GxLh1/THuWPYRaMuOujbpO3DCbbTsxFfdgytUO3cbefvuKn4gfe
+Ol8yDUS9emD5mmD55uSuIvbOgywWFqpYGBcnAIwB5oRRKgJitbeZbXjOjyxCTVvT
+B3lBdPP6RIWnrMpBiQ9NPVWpYvk5jHnhUOfVDmVFIpG6UzRqqbLQVn4m2QoHmaxe
+eHNMuRT/Zpf5QIPZBpdVITz647V1M/gEb5GRnQ1B2JA0KXAxCsnt6qHPoG8JsrRW
+6G90QHjHqGLFtssGIILeCTRHJHYzjCxlRVWF8LgUgshQBbxpUmde6VedahdwKFel
+JG34M4Qxr9PIQ9u7UN4+bolxXtRSsUiKDtakYQs/NrnF48OZJSY98e4QG4tRsxvy
+cWcSsjkFbqzn/Z14KFb8zfygJCGdvOEOjl0Is44w+y9R8dddcwoFW3ufvsJi9KMc
+jQ622C+jZHa+fdUED4qJU9HDMEMDcMFH6Ule4JYwegBSq463keFX/gRoDvQK/eTS
+9KWvZ0KR3azq26fp7Ni4
+=ru1t
+-----END PGP SIGNATURE-----