os
/
doc
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add EN-21:06 to EN-21:08 and SA-21:03 to SA-21:06.

Browse Source 
Approved by:	so
main
Gordon Tetlow 3 years ago
parent 59315f341b
commit 516370df65
27 changed files with 3759 additions and 0 deletions
Show Stats Download Patch File Download Diff File

16
website/data/security/advisories.toml
Unescape Escape View File

@ -1,6 +1,22 @@
# Sort advisories by year, month and day
# $FreeBSD$
[[advisories]]
name = "FreeBSD-SA-21:06.xen"
date = "2021-02-24"
[[advisories]]
name = "FreeBSD-SA-21:05.jail_chdir"
date = "2021-02-24"
[[advisories]]
name = "FreeBSD-SA-21:04.jail_remove"
date = "2021-02-24"
[[advisories]]
name = "FreeBSD-SA-21:03.pam_login_access"
date = "2021-02-24"
[[advisories]]
name = "FreeBSD-SA-21:02.xenoom"
date = "2021-01-29"

12
website/data/security/errata.toml
Unescape Escape View File

@ -1,6 +1,18 @@
# Sort errata notices by year, month and day
# $FreeBSD$
[[notices]]
name = "FreeBSD-EN-21:08.freebsd-update"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:07.caroot"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:06.microcode"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:05.libatomic"
date = "2021-01-29"

128
website/static/security/advisories/FreeBSD-EN-21:06.microcode.asc
Unescape Escape View File

@ -0,0 +1,128 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-21:06.microcode Errata Notice
The FreeBSD Project
Topic: Boot-time microcode loading causes a boot hang
Category: core
Module: x86
Announced: 2021-02-24
Affects: FreeBSD 12.2
Corrected: 2021-02-19 20:57:34 UTC (stable/12, 12.2-STABLE)
2021-02-24 01:43:50 UTC (releng/12.2, 12.2-RELEASE-p4)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
CPU microcode updates may include security fixes or mitigations. The
boot-time microcode loader applies CPU microcode as early in the boot process
as possible, minimizing the amount of code executed without updated
microcode.
Microcode updates for many different CPU types are concatenated into one file
and loaded by the boot loader. After the kernel has determined the correct
update to apply, it frees the memory containing unused microcode updates,
keeping only the update for the CPU on which the kernel is running.
II. Problem Description
An interaction between the code which frees the unused portions of the
microcode file and the rest of the system can cause boot hangs.
III. Impact
The kernel may hang during boot if boot-time microcode updates are configured.
IV. Workaround
Systems not configured to load microcode at boot-time are unaffected.
Boot-time microcode loading is currently only supported with Intel CPUs.
On systems that are configured to load microcode at boot-time, setting the
"debug.ucode.release" loader tunable to 0 will prevent the microcode update
file from being freed, working around the problem.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-21:06/microcode.patch
# fetch https://security.FreeBSD.org/patches/EN-21:06/microcode.patch.asc
# gpg --verify microcode.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r369310
releng/12.2/ r369355
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:06.microcode.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15bwACgkQ05eS9J6n
5cLgbg//cottS8aQLl6YmSFs6JIyZwE4RutM2tSrkwkdQmuYLfba3tEyYs3R2iAK
x9y5bf9jFG5m7mUVr9QhEPRGrFlKTdTtW682T5ClLrZO1TIWwTUZlEC9omIpAPV3
/A2tFFK253Zhufh2bKol8y8LwEle9MrO2xURj8KOo5dFa0HxSrMeCb+YlINV/iCy
hEJPuGvVWr+1rTP0hbKT+lHwtsgV2yB73FuG85p3FtJ4nr7OBlrzDnVgAKANvGTG
VTE/g/mqKfQlYqrNccw8Si/K5vh9PNiFjXiercSyMWV1eaYT6WU/a3x94RlISvR7
6t56uWyJ9YTs3+E1bwplIZ/0qrCOvcgYqsv6ANu5/2gysFCNaNACDcAtidcly2UB
AL0hDjEQ7sAmsGmjAXfg7bbgUD/1h3saTmI3UmuWayZodMt1w6A0d/3A4bb/yZid
rF3gVvgmLBSjsgSXSqYtnS3N+af/rr01/tLaZh/yvO8d0EwFteyGar/dduSCoXbU
EK636ZNy+df7k6eCfqeh2/WixqSE7pKw2anQXmn11vHMBWDyuF919jMxrm64OdzT
sLlVrGOH8FHbUwnTsNUAfggqO7VUowvfRnYk+CzDElpXqn0Pteq8UCGABLmRKW9u
kISBhJwAjnnybyZ5/nvFaAN5UtvG5he0qhpbvArposyvqLdsgZ0=
=j/+s
-----END PGP SIGNATURE-----

121
website/static/security/advisories/FreeBSD-EN-21:07.caroot.asc
Unescape Escape View File

@ -0,0 +1,121 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-21:07.caroot Errata Notice
The FreeBSD Project
Topic: Root certificate bundle update
Category: core
Module: caroot
Announced: 2021-02-24
Affects: FreeBSD 12.2
Corrected: 2020-12-15 21:50:05 UTC (stable/12, 12.2-STABLE)
2021-02-24 01:43:56 UTC (releng/12.2, 12.2-RELEASE-p4)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The root certificate bundle is the trust store that is used by OpenSSL
programs and libraries to aide in determining whether it should trust
a given SSL certificate.
II. Problem Description
Several certificates were removed from the bundle after the latest release
of FreeBSD 12.2.
III. Impact
Certificates are often removed from the root bundle due to a failure to
meet the standards established by Mozilla for being considered a trusted
Certificate Authority.
IV. Workaround
No workaround is available. Software that uses an internal trust store
is not affected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-21:07/caroot.patch
# fetch https://security.FreeBSD.org/patches/EN-21:07/caroot.patch.asc
# gpg --verify caroot.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all applications that may be using OpenSSL, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r368678
releng/12.2/ r369357
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:07.caroot.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15ccACgkQ05eS9J6n
5cJUlRAAnoqim9czLfJS8ooYVSmB2Q3Td+vg+/QrS1ftwGBI3hXAwzFtlsCn4P35
7k5tJQL3sVv3/nFfJ6/S5T832tVAfBgxFyzbu1C8zP2fYDLJ7uKKCtluoaHchB1y
KMOE11SPfdPtG0WeWUI1QEqCAhy91mZo1+B4zTMNazZ2AdLs7YSaovrBeYMcAR+K
xSGxvRndtX+4BvtGpehO3F+JMYsjpA06W3HP1gCsg9JnKo1whzrth83ar4V0aONS
Gcl90oyOy4IGHYPDm3vYahtKXmsO8FI3IpuuNDdkeL1KPbrUaCOvmnnTZWS9pAoT
S0DxUtHqfNz+iRuTLRO0/RIaopLADqx0fmDaRqGPy3MFUp1hevRCpPn8o5rtsjEK
hpsaWhhxrD3edGdu459JvM5cMT9Xr9/QxCneeJF96lgDP17IrB57RmNGu048ARbQ
Myb4G5+ypjnQJ4Y4ctGGlIJQcjfI7dVpSRXdj+qTLBdh2BCeL3d4UC267AgGA3mz
uspX/AxIcdHAvsiHGicbhV+tSw0LY1zPLCP9fgWcfDw8jyzY+Jrtj+B4TBsmTStu
qUpbq6WU7SJ4b7inV0RDmugyDAPFwROuc0u8+VSwI7Kt4VuzAPeSgvcythS88/47
huwCdkRE5Gh6RFy+gTg0tSyv5znQarif6E6pmETSnB8Cr4IbaBk=
=LVRY
-----END PGP SIGNATURE-----

126
website/static/security/advisories/FreeBSD-EN-21:08.freebsd-update.asc
Unescape Escape View File

@ -0,0 +1,126 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-21:08.freebsd-update Errata Notice
The FreeBSD Project
Topic: freebsd-update passwd regeneration
Category: core
Module: freebsd-update
Announced: 2021-02-24
Affects: All supported versions of FreeBSD.
Corrected: 2020-12-27 20:50:53 UTC (stable/12, 12.2-STABLE)
2021-02-24 01:43:52 UTC (releng/12.2, 12.2-RELEASE-p4)
2020-12-27 20:52:37 UTC (stable/11, 11.4-STABLE)
2021-02-24 01:41:49 UTC (releng/11.4, 11.4-RELEASE-p8)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
freebsd-update provides binary updates for supported releases of FreeBSD on
amd64 and i386.
II. Problem Description
The existing logic to try and avoid regenerating passwd/login.conf files
relies on timestamp comparisons between old and new files, with the caveat
that it's comparing the installed with a timestamp that has been clobbered to
do the comparison.
III. Impact
User and login.conf changes coming in from a binary update may not properly
regenerate the databases for the changes to take effect.
IV. Workaround
To workaround this issue, one may regenerate databases manually with
pwd_mkdb(8) and cap_mkdb(1), e.g.,
pwd_mkdb -p /etc/master.passwd
cap_mkdb /etc/login.conf
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date. No reboot is required.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-21:08/freebsd-update.patch
# fetch https://security.FreeBSD.org/patches/EN-21:08/freebsd-update.patch.asc
# gpg --verify freebsd-update.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r368873
releng/12.2/ r369356
stable/11/ r368824
releng/11.4/ r369349
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:08.freebsd-update.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15cgACgkQ05eS9J6n
5cJRqA/+NMSpCafAMdn0T3ZFbZ+AwN3nHS5t/2UBBRnpUks0CWXR1XnZ7CqeTZUc
vCy3+QR93bQYDVCW7tNCOVs0bL7dVyyT9qLrmaJC1LFBtMAaM091A3gXdlhaL5I9
mATPs/Qy3/HFDjeWWZDNeg0RsXhzEnM3I/FPhhWYkA/iO++5Og1VuBWFpuPGUZbG
VuRRVuazHzqVKjlQL7XUKHJk2PGJIXTBAZHQkBn4cwux9iDxjhowtvN3hMJSPTPI
GAu3YD1YrM7UIyguh3WieVOVuHtwUdj+mccw3iifn02crq93H2Wyj4nDDYaUQXz5
Ab9HjuVGE/VjPMgfqRtouQieGTJIMCo8Y/4ytPe+Dhvtxrd4LYBHuYhZFfMFTITC
lAXUhtdF5l/PJWNG24BE3BWjPEgU3vwTtuL56PHcpO08lKgwzidvOtPV2hM2mbw/
RRJWZ0AYe8q624NwpC96WUvW5DoBA2thBXxmUaQ4KBK06tiSg/jXzmG9em4WfaQH
z2aAeg+MURBaecTfl1gWZFdkOOwNcn089T/XhLh2FuzX4NGIQChvo1gEj7thsXQp
jWF+HUpxfZ9ZZIRuNCdAjCCAY2R3pkAZSGAUvi7TTqZfbPQtAb0SgT6QXj6OslCG
w4puBrBQl+R3g3dN1Q9NSDqmob1g8MrN7mUv8Nl7LFNpnWDh4Bs=
=C5YV
-----END PGP SIGNATURE-----

144
website/static/security/advisories/FreeBSD-SA-21:03.pam_login_access.asc
Unescape Escape View File

@ -0,0 +1,144 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-21:03.pam_login_access Security Advisory
The FreeBSD Project
Topic: login.access fails to apply rules
Category: core
Module: pam_login_access
Announced: 2021-02-24
Affects: All supported versions of FreeBSD.
Corrected: 2021-02-24 01:20:53 UTC (stable/13, 13.0-STABLE)
2021-02-24 01:42:42 UTC (releng/13.0, 13.0-BETA3-p1)
2021-02-24 01:40:36 UTC (stable/12, 12.2-STABLE)
2021-02-24 01:44:01 UTC (releng/12.2, 12.2-RELEASE-p4)
2021-02-24 01:39:53 UTC (stable/11, 11.4-STABLE)
2021-02-24 01:41:53 UTC (releng/11.4, 11.4-RELEASE-p8)
CVE Name: CVE-2020-25580
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
login.access(5) is a system configuration file allowing administrators to
define policy around system login access by specific users and groups. It
is implemented by a pam(3) module, pam_login_access(8), and is configured
by default for accesses via sshd(8), telnetd(8) and the system console.
II. Problem Description
A regression in the login.access(5) rule processor has the effect of causing
rules to fail to match even when they should not. This means that rules
denying access may be ignored.
III. Impact
The configuration in login.access(5) may not be applied, permitting login
access to users even when the system is configured to deny it.
IV. Workaround
No workaround is available. Systems not relying on login.access(5) to
enforce custom login policies are not affected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-21:03/pam_login_access.patch
# fetch https://security.FreeBSD.org/patches/SA-21:03/pam_login_access.patch.asc
# gpg --verify pam_login_access.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/13/ 8cf559d6b9b4782bf67eb868ea480f47fc8c64a4
releng/13.0/ f82cffcf2f44c909bec00d18549826f5d1d62205
stable/12/ r369346
releng/12.2/ r369359
stable/11/ r369345
releng/11.4/ r369351
- -------------------------------------------------------------------------
[FreeBSD 13.x]
To see which files were modified by a particular revision, run the following
command in a checked out git repository, replacing NNNNNN with the revision
hash:
# git show --stat NNNNNN
Or visit the following URL, replace NNNNNN with the revision hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
[FreeBSD 11.x, FreeBSD 12.x]
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25580>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:03.pam_login_access.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
5cKg1A/+MKN4Gf9ndHqjEUKiquiUGAE63RJC3wZRpN/GsxP2qLArX4QDOXLJxFZ3
+T+u3lb0vxhhowvp23vFegmQbmWA6ZHI4M+NBsgMnPLTEWkwy4tRTfZDma1Q9j3k
RNPJFnzJ5HTKBXtZom/yKcxuXw1JGlqmxuJYfveBEBIN6PmH5nz3qwcRVV8j+gAM
1CtmnWpUVHm8aOqEGhOPr/eNRbAX14S/rdrtETmyyKm7WlYtiFD8GN5Px+eTTZcM
khZhyhlpvEPU0tLNahnDGiPBmlr8VpysT0+0ZdGsT6qMME8WQne3pvJeM2HaZs8a
ob35quA5tH241NjNBvoYmMj50/UOFS8RZKb6VILX7+PVsYOiuoGKR8ikr6n09SZs
LYThBcnWx5Bwcn08DXbd2bPn48aSFnbe0UMTzwrTC0L/5lp2FLv9j+bhwb3gF6W1
9hmRHOb+Cvdxxqw/djFCQsxODC9qZzneRW012PTsEZcwB8UjvG+OEVahz5iOfiGC
tXNQ6rdbdTEr7QY+JCx0ngyHkQyDrOEJGd8UTIavr0CiuSdSWzi2zrppqZzvjBIp
MENgB7uWf0MvzkYbxqwlRFr+25MLPGPYNfcLR/NnoWZcEuXR9VUL9Nb+ozH1HGs2
oziYLqXp3yvDGrHXdItOz5sVsgsZCZLLVD4SVI7Y31Ctxd6MlcM=
=WQ8j
-----END PGP SIGNATURE-----

161
website/static/security/advisories/FreeBSD-SA-21:04.jail_remove.asc
Unescape Escape View File

@ -0,0 +1,161 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-21:04.jail_remove Security Advisory
The FreeBSD Project
Topic: jail_remove(2) fails to kill all jailed processes
Category: core
Module: jail
Announced: 2021-02-24
Credits: Mateusz Guzik
Affects: All supported versions of FreeBSD.
Corrected: 2021-02-19 01:22:08 UTC (stable/13, 13.0-STABLE)
2021-02-19 21:53:07 UTC (releng/13.0, 13.0-BETA3-p1)
2021-02-19 21:46:31 UTC (stable/12, 12.2-STABLE)
2021-02-24 01:43:39 UTC (releng/12.2, 12.2-RELEASE-p4)
2021-02-19 21:50:26 UTC (stable/11, 11.4-STABLE)
2021-02-24 01:41:41 UTC (releng/11.4, 11.4-RELEASE-p8)
CVE Name: CVE-2020-25581
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
The jail_remove(2) system call, which was introduced in FreeBSD 8.0,
allows a non-jailed process to remove a jail, which includes terminating
all the processes running in that jail.
II. Problem Description
Due to a race condition in the jail_remove(2) implementation, it may fail
to kill some of the processes.
III. Impact
A process running inside a jail can avoid being killed during jail termination.
If a jail is subsequently started with the same root path, a lingering jailed
process may be able to exploit the window during which a devfs filesystem is
mounted but the jail's devfs ruleset has not been applied, to access device
nodes which are ordinarily inaccessible. If the process is privileged, it may
be able to escape the jail and gain full access to the system.
IV. Workaround
The problem is limited to scenarios where a jail containing an untrusted,
privileged process is stopped, and a jail is subsequently started with the same
root path. Users not running jails are not affected, and the problem can be
avoided by not starting a jail with the same path as a previously stopped jail.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 13.x]
# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.13.patch
# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.13.patch.asc
# gpg --verify jail_remove.13.patch.asc
[FreeBSD 11.x, FreeBSD 12.x]
# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.patch
# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.patch.asc
# gpg --verify jail_remove.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/13/ 894360bacd42f021551f76518edd445f6d299f2e
releng/13.0/ 9f00cb5fa8a438e7b9efb2158f2e2edc730badd1
stable/12/ r369312
releng/12.2/ r369353
stable/11/ r369313
releng/11.4/ r369347
- -------------------------------------------------------------------------
[FreeBSD 13.x]
To see which files were modified by a particular revision, run the following
command in a checked out git repository, replacing NNNNNN with the revision
hash:
# git show --stat NNNNNN
Or visit the following URL, replace NNNNNN with the revision hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
[FreeBSD 11.x, FreeBSD 12.x]
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25581>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:04.jail_remove.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
5cK69Q//UI2SeHrGXytm6ScQzCIbFPlUXlhkCX51WSOJmr/LUXpF9bcUhW73qqov
/c70VGF876woMXHkbfYnCVdB4ETLIqTbGOl2aw/c8fuwrmFdtyeDEQ4SRRfWgdC4
L6jEgMvB/fMO9e662k19f6RFXrdMspK4rOz3/aowTFbOEvD3Q0HpBUnFbWWg3Iiy
I190M0jbytFuZ2EJQ563bbRFFjEafZ51SKYz1FcR3cJAbVo/q75G3uDrjeNhnHxZ
0VqcTGHmF4Lh+RocUeW0v/1wHL8lBpoAKXmo4IL+FhFIR8fjVpKbGSm/IHSueatT
Tr6xOg93Ef+sETWVn9Jv26BAU06LEM/ZuXz+HS7T7DwnJJeKa3d74KTJnnGauE24
67OO0i4Fok9Yyy2ArBH8V8mnzdW96dJyHrwdG0UUBddYlEyzArxkUQZyoIdj1Gb1
fns8ndY8t5tky2fxHZG2UMBWwQKBtbMZY027JRylAJWExsG6wH7DcUJ51FpcnbNe
r3QvCB+ifOBGzFd2S4PduttxHW+xldWknah8513u9mRNCwnSFbY9ZXTpSeDmJaPo
hYAZ2WlDodkaJxbTTMbJ+4fr6wMkmWf32g5pRh+wDfMAd0Wvbzmu/+fUQVf54FNU
Qb91AAtVBuIE0J8jKqZxw+dtno+e6etmO1pXoZXvPHUr2N2BJmI=
=yxgm
-----END PGP SIGNATURE-----

162
website/static/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc
Unescape Escape View File

@ -0,0 +1,162 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-21:05.jail_chdir Security Advisory
The FreeBSD Project
Topic: jail_attach(2) relies on the caller to change the cwd
Category: core
Module: jail
Announced: 2021-02-24
Credits: Mateusz Guzik
Affects: All supported versions of FreeBSD.
Corrected: 2021-02-22 05:49:40 UTC (stable/13, 13.0-STABLE)
2021-02-22 18:25:23 UTC (releng/13.0, 13.0-BETA3-p1)
2021-02-22 19:03:43 UTC (stable/12, 12.2-STABLE)
2021-02-24 01:43:47 UTC (releng/12.2, 12.2-RELEASE-p4)
2021-02-22 19:08:27 UTC (stable/11, 11.4-STABLE)
2021-02-24 01:41:46 UTC (releng/11.4, 11.4-RELEASE-p8)
CVE Name: CVE-2020-25582
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
The jail_attach(2) system call, which was introduced in FreeBSD 5
before 5.1-RELEASE, allows a non-jailed process to permanently move
into an existing jail.
The ptrace(2) system call provides tracing and debugging facilities by
allowing one process (the tracing process) to watch and control
another (the traced process).
II. Problem Description
When a process, such as jexec(8) or killall(1), calls jail_attach(2)
to enter a jail, the jailed root can attach to it using ptrace(2) before
the current working directory is changed.
III. Impact
A process with superuser privileges running inside a jail could change
the root directory outside of the jail, thereby gaining full read and
writing access to all files and directories in the system.
IV. Workaround
No workaround is available, but systems that are not running jails with
untrusted root users are not vulnerable.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 13.x]
# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch
# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch.asc
# gpg --verify jail_chdir.13.patch.asc
[FreeBSD 11.x, FreeBSD 12.x]
# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch
# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch.asc
# gpg --verify jail_chdir.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/13/ 5dbb407145c8128753fa30b695bc266dc671e433
releng/13.0/ f3f042d850baaeda1bed19e00c2b3b578644b7e9
stable/12/ r369334
releng/12.2/ r369354
stable/11/ r369335
releng/11.4/ r369348
- -------------------------------------------------------------------------
[FreeBSD 13.x]
To see which files were modified by a particular revision, run the following
command in a checked out git repository, replacing NNNNNN with the revision
hash:
# git show --stat NNNNNN
Or visit the following URL, replace NNNNNN with the revision hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
[FreeBSD 11.x, FreeBSD 12.x]
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25582>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:05.jail_chdir.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
5cKj/xAAjbGc0bV3Ua8PuIFoDk7ADnwNotFV9PlXknWpeM4fXVVrt5EDncMfgHdw
XeKHOjzKNocOCtDioDhOcev9hhLeiYJjGHKrOQeKv34hJoufd6Wr0nvLgv/IVlMr
iZRVndvG1eBlnkwzlbx0xh1OY9zhffqjEiVkQNxXZV0iz/P2ndG0wP7N/bTG2QW3
1mZmp4Fh9AsbjLPVGyutoLZXiypuroGPLQZrth3n7Cz8HklwyPzoAgPOYx7mMW3D
x1Th6kYIEx1aCe+ZBsgOuPsKeZ4SSB5o1w2F5y+mor/rslgQJAppNakBMmyDkSEI
UhEqLGNA469P0qonCHhGY83wfkuUedFTuWLrdnh97J7yr+WIn1ik1/jBXxv3+1kS
bKivBd/oj6hEFULE7r6T/UVomJjU+dPPBm+ewljJFVib+3zIQsbxauLdqUuqWlob
QUkQc4mu7fjVSAMyVbYVrjBAgwQJit0KfX+JSbEcLndmPv1RCK8wnxIf0zbmV2m/
DMg9QGqwfcJkba6Y/JCAFZcl+HUCfEGUqZ7pEqGuwsp3wnMwO7Qg9IAEmDt8i2lf
6kaqAatJ5Reo/D+j6KJFvGCajnEfD0n+jDx8cdJFNY2Zzbo3/lRGd8dque5OEbTA
O0UZu2hRv5YMIagMf57WWzGrF+ACtgYbath710IKfVUfP/OiCIM=
=/d5L
-----END PGP SIGNATURE-----

154
website/static/security/advisories/FreeBSD-SA-21:06.xen.asc
Unescape Escape View File

@ -0,0 +1,154 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-21:06.xen Security Advisory
The FreeBSD Project
Topic: Xen grant mapping error handling issues
Category: contrib
Module: xen
Announced: 2021-02-24
Credits: See Xen XSA-361 for details
Affects: All supported versions of FreeBSD.
Corrected: 2021-02-23 00:55:14 UTC (stable/13, 13.0-STABLE)
2021-02-24 01:42:35 UTC (releng/13.0, 13.0-BETA3-p1)
2021-02-23 00:58:03 UTC (stable/12, 12.2-STABLE)
2021-02-24 01:43:59 UTC (releng/12.2, 12.2-RELEASE-p4)
2021-02-23 00:59:23 UTC (stable/11, 11.4-STABLE)
2021-02-24 01:41:51 UTC (releng/11.4, 11.4-RELEASE-p8)
CVE Name: CVE-2021-26932
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
Xen is a type-1 hypervisor which supports FreeBSD as a Dom0 (or host domain).
II. Problem Description
Grant mapping operations often occur in batch hypercalls, where a number of
operations are done in a single hypercall, the success or failure of each one
reported to the backend driver, and the backend driver then loops over the
results, performing follow-up actions based on the success or failure of each
operation.
Unfortunately, when running in HVM/PVH mode, the FreeBSD backend drivers
mishandle this: Some errors are ignored, effectively implying their success
from the success of related batch elements. In other cases, errors resulting
from one batch element lead to further batch elements not being inspected,
and hence successful ones to not be possible to properly unmap upon error
recovery.
III. Impact
A malicious or buggy frontend driver may be able to cause resource leaks
in the domain running the corresponding backend driver.
IV. Workaround
No workaround is available. FreeBSD systems not using Xen are not
affected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-21:06/xen.patch
# fetch https://security.FreeBSD.org/patches/SA-21:06/xen.patch.asc
# gpg --verify xen.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/13/ ab3e1bd3c22a222520c23c2793cc39e3a23c9b46
releng/13.0/ ce9af53d0897a1cb926bd244f499fc09b1626b27
stable/12/ r369341
releng/12.2/ r369358
stable/11/ r369342
releng/11.4/ r369350
- -------------------------------------------------------------------------
[FreeBSD 13.x]
To see which files were modified by a particular revision, run the following
command in a checked out git repository, replacing NNNNNN with the revision
hash:
# git show --stat NNNNNN
Or visit the following URL, replace NNNNNN with the revision hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
[FreeBSD 11.x, FreeBSD 12.x]
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://xenbits.xen.org/xsa/advisory-361.html>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26932>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:06.xen.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dcACgkQ05eS9J6n
5cKBJg//aACyR6yp/rs1MaAMj2QIm53y+s1/0qRQmAYTq7QVnMNhauGLIUdd7BPQ
O3Gj1fsdpg3iNpKXn20YweUpTQqt4xHxNg+A+cYxexHJ/mepVVnY4OMwWh2est17
2p9Sj3k0vNQ/AdYXELyKW7UA5/tHncFv6EGzdAsGYf4kGUL89bnmWkmcBLR9JZ9a
iF83WhKhLe3O7KzkryMzCh72nbHnKicjrgvun4VH4p5/FrjqNjoPESvGhT6hyObK
80aKN610j/ZdDNdjD0wO62IGB8QGzx/hpr3TIIQ05ydGsuurFKJQYwknYL7rbpuf
GaINHkQTcB+8aWsqSQxq3HTy3P7hEdA3HDzounpAOtYHk+Ff8ZeuH0ZVtJYXP6FP
lbFZoYzXak8odKZp5tNBO8Vu9qiuzthY/ImhZ0d5e+gQ5Bk2Nu68vwie2TGRpLEN
EQYIiIS1AnFsEhDx78UuEojUT/UmMIbv7GNyryv2ElThf1uIH86wtXonie8OFjPp
EGYu4OS/m+FO5fTcEty5ayEsQI0i4mnj83BBdq8sq2lpQbdJjKDSaykHfJ4PEMKi
/WRWiWjlS6fhu+rPC7rJ5b7FoDLXh6hm3uFuD/zNjOmpFFyjNE/O4JCH2zoAdH3C
ygVMUqa4qFalsC3vntk2YweBX4D7za95z4oCDwrFBm4ZWGYcwgs=
=fN2Q
-----END PGP SIGNATURE-----

11
website/static/security/patches/EN-21:06/microcode.patch
Unescape Escape View File

@ -0,0 +1,11 @@
--- sys/x86/x86/ucode.c.orig
+++ sys/x86/x86/ucode.c
@@ -260,7 +260,7 @@
goto restart;
}
}
-SYSINIT(ucode_release, SI_SUB_KMEM + 1, SI_ORDER_ANY, ucode_release, NULL);
+SYSINIT(ucode_release, SI_SUB_SMP + 1, SI_ORDER_ANY, ucode_release, NULL);
void
ucode_load_ap(int cpu)

16
website/static/security/patches/EN-21:06/microcode.patch.asc
Unescape Escape View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15bwACgkQ05eS9J6n
5cLvPQ//T1YzSmE1XBUT4S1qQsYQSmVMQbf2cZ7RCy1Pg2ocg6pvKeCH5+VZN2HF
ycLEcVDik5UmI/SzFTUaJ6I2hkYyCEqxi4eb3+dlm0ZhZKwqeb11eE8sd2K8KIVM
DZF83w9/gxrlnI5V17M6SgNZmCOLkdvd3re7FCqUJVXJXD32XHBwjeedcqGCdyoW
YBzDJ14x/eXYm+FMMaqvMs6f6HCEP57NOa1Osgvp57upDAN28mtTDGkqPAdiq7c+
RXo0Xz5VXvjQeiVgCpJuwcVGMc02RlhUXYZcqm1jbVLxAgU9e7z3a1KX0GKTixel
l5JYT/xkdiqAnuQ0/cxd7+d6PFv1WtGvuO/uJ3XYV9U8M2YJnChZV6Wq2MOME2hR
jsLv31IYZ6T2ydTQ1kIbgDopkIiBRLC10MffnGy8ocRAD6vhljOlrUiKnHRHl18r
gINyhaNUuwjEO1cyNtpKSHZPXUm+u9zJQZFhw2YwcsTkiBaxWgKimqECkYYU4M82
Nx5x0HC/Px1a051Xjwra5hcNqPvNTmurUSjag4AFYiYqU7sYaaYVzyophkukFkH8
qY/0meRq4IaU2ZVmo3ooBl0rV4053FoFUcgXxpwEWAldFbNgnEFmXvkL5ifK2ZNS
I1QLgloiucrM+5dTVZfyPvcY3JE7I3Ebt9Oc1n0ES3o+Pt56xF4=
=ZywK
-----END PGP SIGNATURE-----

2145
website/static/security/patches/EN-21:07/caroot.patch
View File

File diff suppressed because it is too large Load Diff

16
website/static/security/patches/EN-21:07/caroot.patch.asc
Unescape Escape View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15ccACgkQ05eS9J6n
5cJfWA//clMkAVKk0mQUZyeY1Zy1p7IIvvAzAKhqZP3YW/Fu6169zLZpNvnvliPj
Prex6zldlcpdLm4xcae+nDM8VfqhrLcRM4XEZS9cVBPx4e/lTUXaCoUAVrZqW0gw
BgYZTkH0iPPbsc0NBnUldt+jmNy23InCzpLMcrGLjnJwH62IWVX7/7WZE1pDwp6T
3XhX9W60Xk1gX2HzJ04xnxx43qHDasDRi6YL0iIPef035TFB2O13r0KMNogPoqcd
yp4HJ/99hYK1XFYrA//gVMjjoHr2xUkNne0Ox3JEmBXUZZaYyS7YB+kJNNUnYMa5
6oTsQZ/0hHpuzPnRD5LfwiX6NHMTGRNkB7fFeMwjHfTz5pCE3w7LrvlxVdqzmyj2
cwvDK/ZLDYzWagtZtNvZ+gDpx4TjLyRQ/sFq7I6JCF62UO/4x4jlznlbcltipcot
kwnAGqIruMMeivwskT5aTCjfVPYuL6HR0Ynyw50XWlXBKYbivATTWhEbfIxtNT/3
V5litBTdQ3mqBCG+gybqgi4TdjUnPTCobpjj2+PnMTjDABjyr+naW3elU4bHU8EN
2LR6ArVVOfYiS7KblydJ+79zIdzlQtAiFtvmAjhP+OJl3iuCRB6/ychv72tDlc2R
zAWMy/WvCMrAC3eb3tHnDPM7qL61agba/YXSgGTl6sW076D7ipk=
=fnR5
-----END PGP SIGNATURE-----

23
website/static/security/patches/EN-21:08/freebsd-update.patch
Unescape Escape View File

@ -0,0 +1,23 @@
--- usr.sbin/freebsd-update/freebsd-update.sh.orig
+++ usr.sbin/freebsd-update/freebsd-update.sh
@@ -2949,17 +2949,9 @@
env DESTDIR=${BASEDIR} certctl rehash
fi
- # Rebuild generated pwd files.
- if [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/spwd.db ] ||
- [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/pwd.db ] ||
- [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/passwd ]; then
- pwd_mkdb -d ${BASEDIR}/etc -p ${BASEDIR}/etc/master.passwd
- fi
-
- # Rebuild /etc/login.conf.db if necessary.
- if [ ${BASEDIR}/etc/login.conf -nt ${BASEDIR}/etc/login.conf.db ]; then
- cap_mkdb ${BASEDIR}/etc/login.conf
- fi
+ # Rebuild generated pwd files and /etc/login.conf.db.
+ pwd_mkdb -d ${BASEDIR}/etc -p ${BASEDIR}/etc/master.passwd
+ cap_mkdb ${BASEDIR}/etc/login.conf
# Rebuild man page databases, if necessary.
for D in /usr/share/man /usr/share/openssl/man; do

16
website/static/security/patches/EN-21:08/freebsd-update.patch.asc
Unescape Escape View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15cgACgkQ05eS9J6n
5cLGsw/+IJCLJ0BrT+mN2UpTJMrCzbafYvAVAxUNxoMByHKg0jAYWUwLmifRPeaA
3cu3y4iEkcCCY8pDFSDa/cOf/FyQKDbECCPZNGEDjrd8a/UYgkRlv11mfhKaDTL2
u+GzkIw2YrF+1uIPB3uwQdKC/ArWtpaG4s8O+SQP4gRXfmqnIwel1bQThPW6ITbJ
1nJ1UAObtg7wsB+8SUVjwhjKxBk0UGh1pnpNU20dtyNMEOepa3Yds9R+lTA77Xm7
o+hWL8z6JIXC88L8vbzAPdOhdLZk//KwG4kVqXk50pFYbPoM/gw0F+53qsEYkuB9
CvgNwuaFtqYyMu5fF3rdW4zruXcrCxrLdqAu195vyklxUjqwozm0K+lwcEixOkEE
JugNchJ69PsSt4DQwjf+fZ/VIr9RZRJTp6c6My5xzy5uTmmWMZKx3dtkyvBusrgo
qcgv8CnTlq6yF2TPwK3TQ8PosHZdnkeVvuELn6KviBa0G7YjiYIYlC+J6iSkHBn2
nwxq01kFcvRXgqTP4twmuq4jPGD8KWa9w/LFI52CI+SRfSHTRF+I2kVlrnBGbex7
vbJtpnu/hVKerekNF30G7AwouuQGf9vQo84sXbZy9sgk6b2JFULkfHH/ACdNPK8G
E/uS5P/+dZAjDcx7KfwuEU9wG7/Xa+9BnIuCvg5T79TAsn0JtGY=
=OcHp
-----END PGP SIGNATURE-----

16
website/static/security/patches/SA-21:03/pam_login_access.patch
Unescape Escape View File

@ -0,0 +1,16 @@
--- lib/libpam/modules/pam_login_access/login_access.c.orig
+++ lib/libpam/modules/pam_login_access/login_access.c
@@ -137,10 +137,10 @@
if (match != NO) {
while ((tok = strtok((char *) 0, listsep)) && strcmp(tok, "EXCEPT")) {
/* VOID */ ;
- if (tok == NULL || list_match((char *) 0, item, match_fn,
- login_access_opts) == NO) {
+ }
+ if (tok == NULL ||
+ list_match((char *) 0, item, match_fn, login_access_opts) == NO) {
return (match);
- }
}
}
return (NO);

16
website/static/security/patches/SA-21:03/pam_login_access.patch.asc
Unescape Escape View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
5cLfBhAAoq8be40mOb4phT4bkAKR8mcmhLWDL91R/ZmAlVJJ9sSO0YOTc3Pb9z5d
KqwkSy0QOXFt2k5bVt9xTNIge7sKR7+wCyUSxBbSrvLMuAegzND2/teQuiaQ8ms0
D0SgwAchqvtUcpRd2fIVG9XoFRsfbpuRdDGVDz2q2QygG/FpKWnLH0YI6C9EeKhX
GnJXeQCOKCFfU3Ciqk5rAzLfc+7FuvaE0gZNthoKbfvj2eaqzQcGtpsYpqOv09Tv
sj9rWyMiQGCFRUn+HhRxBGEh8hg/i8u+7H+A0DFiy9kHr93+oeqLc4nEz4fccpTj
ve+3xjkmmbndm4/X6CdpTii1+jVHN+P/zDk//+J3MNXxDfc3JwHvebjpr88xEs3Z
fWR0zXZy3uRdEpcnUgJi5uYbhTP91DsXMVSZQl09Eq5o1iHPBgd4Vgmsb0Jlhcco
nZYfzbBw1uox5vL0AsFiWJoDWLETAcZ+GEri/MJ5ilSg37dil7wIgr7LUTq7hQeb
kRrjjQXjl99btLuYyJsy4a+rh/tI3XOr7fk95q21hSV2hDd3wnfyQYQKqbGsZa/s
E37AZPM71jx6I8YM+Y6qtL1M8HhIGpDQwh6yhtN5Mei7Yx94UQzR/riVk4OefPEh
RaQT1tLtDSeavBQo8YbiiNEVVZoosdYVIUM3JgHSJlLeASZnbss=
=iTAi
-----END PGP SIGNATURE-----

95
website/static/security/patches/SA-21:04/jail_remove.13.patch
Unescape Escape View File

@ -0,0 +1,95 @@
--- sys/kern/kern_fork.c.orig
+++ sys/kern/kern_fork.c
@@ -1126,6 +1126,12 @@
PROC_UNLOCK(p);
}
+ /*
+ * If the prison was killed mid-fork, die along with it.
+ */
+ if (!prison_isalive(td->td_ucred->cr_prison))
+ exit1(td, 0, SIGKILL);
+
userret(td, frame);
#ifdef KTRACE
--- sys/kern/kern_jail.c.orig
+++ sys/kern/kern_jail.c
@@ -1764,6 +1764,7 @@
}
}
pr->pr_flags = (pr->pr_flags & ~ch_flags) | pr_flags;
+ pr->pr_flags &= ~PR_REMOVE;
mtx_unlock(&pr->pr_mtx);
drflags &= ~PD_LOCKED;
@@ -2368,6 +2369,12 @@
drflags = PD_DEREF | PD_LOCKED | PD_LIST_XLOCKED;
+ /*
+ * Mark the prison as doomed, so it doesn't accidentally come back
+ * to life. It may still be explicitly brought back by jail_set(2).
+ */
+ pr->pr_flags |= PR_REMOVE;
+
/* If the prison was persistent, it is not anymore. */
if (pr->pr_flags & PR_PERSIST) {
refcount_release(&pr->pr_ref);
@@ -2508,6 +2515,17 @@
#endif
prison_deref(oldcred->cr_prison, PD_DEREF | PD_DEUREF);
crfree(oldcred);
+
+ /*
+ * If the prison was killed while changing credentials, die along
+ * with it.
+ */
+ if (!prison_isalive(pr)) {
+ PROC_LOCK(p);
+ kern_psignal(p, SIGKILL);
+ PROC_UNLOCK(p);
+ }
+
return (0);
e_unlock:
@@ -3038,17 +3056,18 @@
/*
* Return true if the prison is currently alive. A prison is alive if it is
- * valid and it holds user references.
+ * valid and holds user references, and it isn't being removed.
*/
bool
prison_isalive(struct prison *pr)
{
- mtx_assert(&pr->pr_mtx, MA_OWNED);
if (__predict_false(refcount_load(&pr->pr_ref) == 0))
return (false);
if (__predict_false(refcount_load(&pr->pr_uref) == 0))
return (false);
+ if (__predict_false(pr->pr_flags & PR_REMOVE))
+ return (false);
return (true);
}
@@ -3061,7 +3080,6 @@
prison_isvalid(struct prison *pr)
{
- mtx_assert(&pr->pr_mtx, MA_OWNED);
if (__predict_false(refcount_load(&pr->pr_ref) == 0))
return (false);
return (true);
--- sys/sys/jail.h.orig
+++ sys/sys/jail.h
@@ -216,6 +216,7 @@
/* primary jail address. */
/* Internal flag bits */
+#define PR_REMOVE 0x01000000 /* In process of being removed */
#define PR_IP4 0x02000000 /* IPv4 restricted or disabled */
/* by this jail or an ancestor */
#define PR_IP6 0x04000000 /* IPv6 restricted or disabled */

16
website/static/security/patches/SA-21:04/jail_remove.13.patch.asc
Unescape Escape View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
5cLERg//UAJF8f+jYz1unA6nFL1nWsGQ5QoQxqlJmbC8vqL3hTYdpiiYlr7AGf2X
vc8is4uencAmT1eZrkdMiagz5R0LYLHtuMsy6QEjD3sJFYEkxfR/8jxlavKMicvd
HdXNpd92hr7WqLhCXZMwSq/qKAnNKNCvtQ5qH0/201T7Ac3k6aG8JMINoeqBFeHC
pIf4QGrX9gxzBrJ6UKOi+DqkJHi2pB+L53PVUaX5oProbgIr5EKiIEx7bPAswr8R
wp5D4GXeoIujK5mir/HPdImBRDfUBVrx9QP/TMq0clShsVPJVxVWKOEG7mQKNa8o
aAoTdP1TjKmzvFvAGn80dc1Abn4U3TCKV0DmhZvsAjtJU8yTd/DBFv7+HHLmka5l
bFQJXiNqQvEcwHejb2gMesUYJ12h/NM5h3f411kn3DEsSwuznhuTO3YIUHDPzrCg
Jz/XV1jOj8G0e3J8ahmNkd7FeiOjALUpb4O5ZvDaTCN7PeQ8clY2STWkmZxw5UOw
g7xzYDqoJ/XJj0fcypraejhE0XiDlxwiMAw5+hRkBym60Ywu7xVYOy8h+XUzI041
G5UKFtRRBnflI6T4W2Zxohzf1tGy2io442nRhrAsftn+sWoJyrwjp8dMQbDf2VYk
wVEAcbe5aYwW58h+Pczcah43SyiDqtMleAlWE3mO0puIIkcF8C4=
=l+7o
-----END PGP SIGNATURE-----

66
website/static/security/patches/SA-21:04/jail_remove.patch
Unescape Escape View File

@ -0,0 +1,66 @@
--- sys/kern/kern_fork.c.orig
+++ sys/kern/kern_fork.c
@@ -1138,6 +1138,12 @@
PROC_UNLOCK(p);
}
+ /*
+ * If the prison was killed mid-fork, die along with it.
+ */
+ if (td->td_ucred->cr_prison->pr_flags & PR_REMOVE)
+ exit1(td, 0, SIGKILL);
+
userret(td, frame);
#ifdef KTRACE
--- sys/kern/kern_jail.c.orig
+++ sys/kern/kern_jail.c
@@ -1768,6 +1768,7 @@
}
}
pr->pr_flags = (pr->pr_flags & ~ch_flags) | pr_flags;
+ pr->pr_flags &= ~PR_REMOVE;
mtx_unlock(&pr->pr_mtx);
#ifdef RACCT
@@ -2306,6 +2307,12 @@
struct proc *p;
int deuref;
+ /*
+ * Mark the prison as doomed, so it doesn't accidentally come back
+ * to life. It may still be explicitly brought back by jail_set(2).
+ */
+ pr->pr_flags |= PR_REMOVE;
+
/* If the prison was persistent, it is not anymore. */
deuref = 0;
if (pr->pr_flags & PR_PERSIST) {
@@ -2450,6 +2457,17 @@
#endif
prison_deref(oldcred->cr_prison, PD_DEREF | PD_DEUREF);
crfree(oldcred);
+
+ /*
+ * If the prison was killed while changing credentials, die along
+ * with it.
+ */
+ if (pr->pr_flags & PR_REMOVE) {
+ PROC_LOCK(p);
+ kern_psignal(p, SIGKILL);
+ PROC_UNLOCK(p);
+ }
+
return (0);
e_unlock:
--- sys/sys/jail.h.orig
+++ sys/sys/jail.h
@@ -213,6 +213,7 @@
/* primary jail address. */
/* Internal flag bits */
+#define PR_REMOVE 0x01000000 /* In process of being removed */
#define PR_IP4 0x02000000 /* IPv4 restricted or disabled */
/* by this jail or an ancestor */
#define PR_IP6 0x04000000 /* IPv6 restricted or disabled */

16
website/static/security/patches/SA-21:04/jail_remove.patch.asc
Unescape Escape View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
5cLspA//YgWoLetTx3ovwxV9soXbC+DTUVkRLmZ7D7ohem7dKrKAYu3HK7ZzDDrD
ZyG6OD0QRf1MqKYxao+Cq6X0M4WZtkKKwIEBLEvh8ck91+m0na8Sj44mA/QLbnEI
KrXJhZKHGmJNtn01J1dBjn9Zwq1MN7/qxy79RZLyKmBYKLeXrosKe12ty/V7TMTE
hALXbuQ+aTHBbWC2AiMFIpkbuivxO86DfGRqGshNVERW3hoZys6XCQsHAeN2mN2w
b8SmBozKJ6S4i49pcWrdQRRdIf9sdhyc2QQ1LvPTKqTxedjf8J92YPZZGSEYpAh2
she9sreXo7rGWNhmyGYbVquYatkMAeZhrtwrSfbljjNZQ8jGS9M+n9Yy7aFcXzrS
a4zAbumPx4n8FhRLGBBxmWRVqdrSdLwoge9tAWnHLBejN0CbH/H+ybE400mP8UkJ
QReoQxbv88ENObSJoP/Dn6yGQGgTOD8fJB3C3YLdenXupuWp435ZkJan6NQoab7f
YRjZiq7q8nnCDlrBZVEZ+EOyCXOyFnc2raBIDPy4v4c63rGT/TBENu3/cV9xW97v
ldT45S2vLqFFB1upqBk3mxmVhXONp4dd27rPv6mvql3h9P7UQkbWV2Z/6tTpzKAa
1FoUp+1si4J/zufDbMa9uHknohB9awRK6aerKo7Wm6qiZEiKErk=
=DBYw
-----END PGP SIGNATURE-----

103
website/static/security/patches/SA-21:05/jail_chdir.13.patch
Unescape Escape View File

@ -0,0 +1,103 @@
--- lib/libc/sys/jail.2.orig
+++ lib/libc/sys/jail.2
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd February 8, 2012
+.Dd February 19, 2021
.Dt JAIL 2
.Os
.Sh NAME
@@ -228,6 +228,9 @@
system call attaches the current process to an existing jail,
identified by
.Fa jid .
+It changes the process's root and current directories to the jail's
+.Va path
+directory.
.Pp
The
.Fn jail_remove
--- sys/kern/kern_descrip.c.orig
+++ sys/kern/kern_descrip.c
@@ -3795,9 +3795,8 @@
}
/*
-* Common routine for kern_chroot() and jail_attach(). The caller is
-* responsible for invoking priv_check() and mac_vnode_check_chroot() to
-* authorize this operation.
+* The caller is responsible for invoking priv_check() and
+* mac_vnode_check_chroot() to authorize this operation.
*/
int
pwd_chroot(struct thread *td, struct vnode *vp)
@@ -3859,6 +3858,46 @@
pwd_drop(oldpwd);
}
+/*
+ * jail_attach(2) changes both root and working directories.
+ */
+int
+pwd_chroot_chdir(struct thread *td, struct vnode *vp)
+{
+ struct pwddesc *pdp;
+ struct filedesc *fdp;
+ struct pwd *newpwd, *oldpwd;
+ int error;
+
+ fdp = td->td_proc->p_fd;
+ pdp = td->td_proc->p_pd;
+ newpwd = pwd_alloc();
+ FILEDESC_SLOCK(fdp);
+ PWDDESC_XLOCK(pdp);
+ oldpwd = PWDDESC_XLOCKED_LOAD_PWD(pdp);
+ error = chroot_refuse_vdir_fds(fdp);
+ FILEDESC_SUNLOCK(fdp);
+ if (error != 0) {
+ PWDDESC_XUNLOCK(pdp);
+ pwd_drop(newpwd);
+ return (error);
+ }
+
+ vrefact(vp);
+ newpwd->pwd_rdir = vp;
+ vrefact(vp);
+ newpwd->pwd_cdir = vp;
+ if (oldpwd->pwd_jdir == NULL) {
+ vrefact(vp);
+ newpwd->pwd_jdir = vp;
+ }
+ pwd_fill(oldpwd, newpwd);
+ pwd_set(pdp, newpwd);
+ PWDDESC_XUNLOCK(pdp);
+ pwd_drop(oldpwd);
+ return (0);
+}
+
void
pwd_ensure_dirs(void)
{
--- sys/kern/kern_jail.c.orig
+++ sys/kern/kern_jail.c
@@ -2495,7 +2495,7 @@
goto e_unlock;
#endif
VOP_UNLOCK(pr->pr_root);
- if ((error = pwd_chroot(td, pr->pr_root)))
+ if ((error = pwd_chroot_chdir(td, pr->pr_root)))
goto e_revert_osd;
newcred = crget();
--- sys/sys/filedesc.h.orig
+++ sys/sys/filedesc.h
@@ -333,6 +333,7 @@
void pwd_chdir(struct thread *td, struct vnode *vp);
int pwd_chroot(struct thread *td, struct vnode *vp);
+int pwd_chroot_chdir(struct thread *td, struct vnode *vp);
void pwd_ensure_dirs(void);
void pwd_set_rootvnode(void);

16
website/static/security/patches/SA-21:05/jail_chdir.13.patch.asc
Unescape Escape View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
5cJbWw//bRqnxdq9srjPktUXSqKc0ix0ATFU/MK/oYHFTS+Xhl9BDx5tHxW7cRCo
PtP6zXWO0qJryNoi/Dr3j969uAcYJyVpS9oeqK2PL8KN9hqMzCo59M0NzkQJeWxP
fpym77ZeU8VFMLxyPS1BxcyB5XOKvfJ8dv6mxi7S3ytmrNWPpqkHdw+JM/X9grUH
BYW5uRasuz4lzgeWCwaNlWVdZpGKd9vpgrRs8ZsSZWaCR5RxG0cArMXpYglggrnJ
G7sF9MmAHato5dsW9EuQf9r16ypbQe2qDDpTk4jUGwB2GhlFuc3o1aIop38fjDJy
c+ARz/qWdtJm5vMvuhOLGHUl5+hMXNDERaRH3MFnTMY5mCU/0cLpIyUOMylUTF/o
Ek7gvsA+sm1PtPs5s8v9KynmKH0Sdsv29Izq7aczYNnIKCmtOFQpokAiTQG5RSfE
17eEvKSoVxMOXzeEjO5iIGS1fatGohLHHC44wwRR4WTccVxVFSWX0HMOt8v1Co1i
P0psCcBOqKZcrAwYDIClPHgKz3kGa46tfKhwtdNHD1jF0wkItSQySnSPc7/a7x/s
ZA6zLPSL4hA7KL7oeS7MirpScsNLTOI0sH6Tf/jVAURzrwxxQmbWCBS8/A39ODUY
frsbj+xHNRP7o/foBMwR0lPSQIjXZ97YTXk8/fMGQ5j1VMTuZOg=
=kPvY
-----END PGP SIGNATURE-----

98
website/static/security/patches/SA-21:05/jail_chdir.patch
Unescape Escape View File

@ -0,0 +1,98 @@
--- lib/libc/sys/jail.2.orig
+++ lib/libc/sys/jail.2
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd February 8, 2012
+.Dd February 19, 2021
.Dt JAIL 2
.Os
.Sh NAME
@@ -228,6 +228,9 @@
system call attaches the current process to an existing jail,
identified by
.Fa jid .
+It changes the process's root and current directories to the jail's
+.Va path
+directory.
.Pp
The
.Fn jail_remove
--- sys/kern/kern_descrip.c.orig
+++ sys/kern/kern_descrip.c
@@ -3242,10 +3242,9 @@
}
/*
- * Common routine for kern_chroot() and jail_attach(). The caller is
- * responsible for invoking priv_check() and mac_vnode_check_chroot() to
- * authorize this operation.
- */
+* The caller is responsible for invoking priv_check() and
+* mac_vnode_check_chroot() to authorize this operation.
+*/
int
pwd_chroot(struct thread *td, struct vnode *vp)
{
@@ -3291,6 +3290,39 @@
vrele(oldvp);
}
+/*
+ * jail_attach(2) changes both root and working directories.
+ */
+int
+pwd_chroot_chdir(struct thread *td, struct vnode *vp)
+{
+ struct filedesc *fdp;
+ struct vnode *oldvrp, *oldvcp;
+ int error;
+
+ fdp = td->td_proc->p_fd;
+ FILEDESC_XLOCK(fdp);
+ error = chroot_refuse_vdir_fds(fdp);
+ if (error != 0) {
+ FILEDESC_XUNLOCK(fdp);
+ return (error);
+ }
+ oldvrp = fdp->fd_rdir;
+ vrefact(vp);
+ fdp->fd_rdir = vp;
+ oldvcp = fdp->fd_cdir;
+ vrefact(vp);
+ fdp->fd_cdir = vp;
+ if (fdp->fd_jdir == NULL) {
+ vrefact(vp);
+ fdp->fd_jdir = vp;
+ }
+ FILEDESC_XUNLOCK(fdp);
+ vrele(oldvrp);
+ vrele(oldvcp);
+ return (0);
+}
+
/*
* Scan all active processes and prisons to see if any of them have a current
* or root directory of `olddp'. If so, replace them with the new mount point.
--- sys/kern/kern_jail.c.orig
+++ sys/kern/kern_jail.c
@@ -2437,7 +2437,7 @@
goto e_unlock;
#endif
VOP_UNLOCK(pr->pr_root, 0);
- if ((error = pwd_chroot(td, pr->pr_root)))
+ if ((error = pwd_chroot_chdir(td, pr->pr_root)))
goto e_revert_osd;
newcred = crget();
--- sys/sys/filedesc.h.orig
+++ sys/sys/filedesc.h
@@ -243,6 +243,7 @@
/* cdir/rdir/jdir manipulation functions. */
void pwd_chdir(struct thread *td, struct vnode *vp);
int pwd_chroot(struct thread *td, struct vnode *vp);
+int pwd_chroot_chdir(struct thread *td, struct vnode *vp);
void pwd_ensure_dirs(void);
#endif /* _KERNEL */

16
website/static/security/patches/SA-21:05/jail_chdir.patch.asc
Unescape Escape View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dcACgkQ05eS9J6n
5cJ5fw//UPe63jyCB84gKv+VhMsurnIkhZrvisIG4++ifC8Iv+sxF+XiGTamFV3b
f3aH4fdh/wPjfcs5yDdLdxkTeOp8VGEiU0l7d9EZvlHQk3+sH74RbZv2+Z3ybUmM
xf3vJlpxOrCluaO9yK2ecSoNhOuqR2i/b0czWEauRFhcwRJVd6qw8KSPx8GUUrk4
u5bwD0FIq8papwg4yzgjX6x/tKSE3Y0Zo4L3aW4QZQvoZfKLM1N0iCsgs8MqicrS
v8YzuO7GQTy5s4Yz/baQCCBtW15LU/EbqGNAcVMCxNZ7lBY/SHSn92lohSpkU1kE
IW3gKxgQkIu/QQPCBnRF11JdZ/3/dsoaBkvcKxrhguwjyX0vUHHpHiBcgs3LjaAC
6u0O4Gm+YWGa2ob5nuPg2j6H8gQCouMaDkvATJluwVwaoWfA/cg6m+JSXZVTlPIk
TcZO6kuEcZOcac4hsoCCEz/kfYzaoyq89wTVAKlis2OKsf3wZwcVixNfovnSSgcj
RqMUoItgdwC9T+6wn45P4NgcXnKnjYo3BjFPBKsKjt8NnU6ldr8i7Fg7rxMREdvA
nOQvHFxmG1zH4788ksZ4++rmW0XH7gXBUivbjGqQVmKk+hGuOzRXQwvTBfhuvCBD
f9QXVOa5dnmT868wvLouotX4TIXE5vBX2WIBa4mgOkSn2Cg9AsU=
=a1qK
-----END PGP SIGNATURE-----

34
website/static/security/patches/SA-21:06/xen.patch
Unescape Escape View File

@ -0,0 +1,34 @@
--- sys/dev/xen/blkback/blkback.c.orig
+++ sys/dev/xen/blkback/blkback.c
@@ -2912,10 +2912,31 @@
ring_idx < xbb->ring_config.ring_pages;
ring_idx++, gnt++) {
if (gnt->status != 0) {
+ struct gnttab_unmap_grant_ref unmap[XBB_MAX_RING_PAGES];
+ unsigned int i, j;
+
xbb->ring_config.va = 0;
xenbus_dev_fatal(xbb->dev, EACCES,
"Ring shared page mapping failed. "
"Status %d.", gnt->status);
+
+ /* Unmap everything to avoid leaking grant table maps */
+ for (i = 0, j = 0; i < xbb->ring_config.ring_pages;
+ i++) {
+ if (gnts[i].status != GNTST_okay)
+ continue;
+
+ unmap[j].host_addr = gnts[i].host_addr;
+ unmap[j].dev_bus_addr = gnts[i].dev_bus_addr;
+ unmap[j++].handle = gnts[i].handle;
+ }
+ if (j != 0) {
+ error = HYPERVISOR_grant_table_op(
+ GNTTABOP_unmap_grant_ref, unmap, j);
+ if (error != 0)
+ panic("Unable to unmap grants (%d)",
+ error);
+ }
return (EACCES);
}
xbb->ring_config.handle[ring_idx] = gnt->handle;

16
website/static/security/patches/SA-21:06/xen.patch.asc
Unescape Escape View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dcACgkQ05eS9J6n
5cLcAQ/+PDWS6WNlOHpdybJ8UM1SYZ5JthUPd1MBgqgGEu7/cB2bu+g5rbKix7KN
kQubVbYwTT0eBXcqYhk9f9OKrbE9khXuP7Uw808jEtxmREipandiQvI1LoNJDKOv
1CNcGodP1yb2Q+hR/wS6dydGIgcoNyDkF7Uc0RaCK3oZGpI1zdlA2vTUN5IjDwZs
DoHknm28F2M+7/jBssvoRlBh0fsNsj9s1twT2x2BP0QWMsbHhGMkXOs28TaLv7of
5wyt1L02HaUZL8q6wE+MpJ0fvjUJcIa1cYSP8QtUac0iu8mJfEr33vdWmvqlr3BX
TAMTw+pAQxZpfBNtfMVQKloeF4wqJQ7hJWDd9qzXATdtbZEr2urw1/2+jlAfPsrT
Sy6jT1o+yoUpYdqlJOv0y0oDrp07k+Dya4UlvK3g2TI/4v5ZZCPe9sYNLZ7rdWEe
bQsKk+X9nNeLw4B/EDvllovYGqNavGLj/rFf+1X0pAoZd4YH3nXaboa3WijC+fXP
e8/NsPJ7SXdw4paOA0XqMp2GXNEF6zkMI7BgsCkh5XUqS8R8MfAfMgNpV4QxFWUA
Rgmu6oClEVwAmeyrHnw1vHO3HzT5ebXvFenMid5NxOpuCcko4QHl2dQgU7Uu1exT
2dTo/s2RWYfHQZaUhc3daZuKdWfnAe+OoUOKF6ODAqC3mMdgIEI=
=OLTt
-----END PGP SIGNATURE-----
Write Preview
Loading…
Cancel
Save