os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add the latest advisory and 3 new errata notices:

Browse source 
Fix OpenSSL NULL pointer deference vulnerability. [SA-14:09]

  Add pkg bootstrapping, configuration and public keys. [EN-14:03]
  Improve build repeatability for kldxref(8). [EN-14:04]
  Fix data corruption with ciss(4). [EN-14:05]
This commit is contained in:
Xin LI 2014-05-13 23:55:52 +00:00
parent 1acb4e9347
commit 6705d61482
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44822
18 changed files with 1511 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

180
share/security/advisories/FreeBSD-EN-14:03.pkg.asc Normal file
View file

@ -0,0 +1,180 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:03.pkg Errata Notice
The FreeBSD Project
Topic: pkg bootstrapping, configuration and public keys
Category: core, packages
Module: pkg
Announced: 2014-05-13
Credits: Baptiste Daroussin, Bryan Drewery
Affects: All versions of FreeBSD prior to 10.0-RELEASE
Corrected: 2014-04-15 23:40:47 UTC (stable/8, 8.4-STABLE)
2014-05-13 23:24:32 UTC (releng/8.4, 8.4-RELEASE-p10)
2014-03-11 14:48:44 UTC (stable/9, 9.2-STABLE)
2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6)
2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The pkg(7) utility is the new package management tool for FreeBSD. The
FreeBSD project has provided official pkg(7) packages since October 2013
and signed packages since the pkg-1.2 release in November 2013. The
signature checking requires known public keys to be installed locally.
The repository configuration must be installed as well.
The base system also includes a pkg(7) bootstrap tool that installs the
latest real pkg(7) package. The bootstrap tool knows where to find the
official pkg(7) package but once that is installed the real pkg(7) will
not know where to find official packages, nor have the known public key
for signature checking.
The bootstrap tool was also improved in 10.0-RELEASE to check the
signature on the pkg(7) package it is installing.
II. Problem Description
Only FreeBSD 10.0 has been released with the official repository
configuration, known public keys, and a bootstrap tool that checks the
signature of the pkg(7) package it is installing.
To allow packages to be used on a system, the configuration must be
manually setup and keys securely fetched and installed to the proper
location.
III. Impact
Releases before 10.0 require manual configuration. Manually configuring the
pkg(7) signatures could result in insecurely installing the keys or leaving
the signature checking disabled.
The bootstrap tool is not secure on releases prior to 10.0 due to not checking
the signature and could result in having an unofficial pkg(7) installed due to
MITM attacks.
IV. Workaround
To securely install pkg(7) on releases prior to 10.0, install it from ports
obtained from a secure portsnap checkout:
# portsnap fetch extract
# echo "WITH_PKGNG=yes" >> /etc/make.conf
# make -C /usr/ports/ports-mgmt/pkg install clean
If this is an existing system it may be converted to pkg(7) as well by running:
# pkg2ng
After this is done /usr/ports may be removed if no longer required.
To workaround the configuration and keys being missed, apply the solution in
this Errata.
V. Solution
No solution is provided for pkg(7) bootstrap signature checking on releases prior
to 10.0. Upgrading to 10.0 or stable/9 after r263038 will suffice.
To install the configuration and public key in a secure means, perform one of
the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.2]
# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.2.patch
# fetch http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.2.patch.asc
# gpg --verify pkg-en-releng-9.2.patch.asc
[FreeBSD 9.1]
# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.1.patch
# fetch http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.1.patch.asc
# gpg --verify pkg-en-releng-9.1.patch.asc
[FreeBSD 8.4]
# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch
# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch.asc
# gpg --verify pkg-en-releng-8.4.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/etc/pkg
# mkdir -p /etc/pkg /usr/share/keys/pkg/trusted /usr/share/keys/pkg/revoked
# make install
# cd /usr/src/share/keys/pkg
# make install
3) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r264519
releng/8.4/ r265989
stable/9/ r263937 (*)
releng/9.1/ r265988
releng/9.2/ r265988
- -------------------------------------------------------------------------
(*) The actual required changeset consists a series of changes, including
r263023,r258550,r263050,r263053 and r263937.
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:03.pkg.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnPgsP/i1EV9g4qXg9v6HvakiFFKrv
51810uJe/Eo9iujDT1TpwuYJuFQPzkW+h4JRvapaSLAMxeLsYqxj8WDuKz0eU6sW
WjaPv6LZWUG91jHbFr3uEAgLLvkc86kMI/hfSmzq5FY7gsisEKoyfdraR2E63jtp
BFARxAq9hnddck5zZiX7wCOMtvCVrvrSsozft1p885AUra+Tg9F1RuUloS0CYddD
FtUb1dPMshkHlqHqC1wGzRfBVFgX7NnXfnxIi2St1ft0tEDKIL+HQgnjU2CwKbK7
S9ioLYbbUhyo6edpS/4+y5gJ1kVLvlelY4myBHUkSOMJrsxoIBCTuXjdnO9PL5gr
qpS9R6TQEMF5auEG5aIOwfu5t8wqczAfC4zVzbm4UPakRYPFS0NfvkDGW2Gno7Yh
iOur/JFLUOqbV9i8UwssS8OzG0cr8EzbZ3iLkVPqt1Cxuxxpx8+NYiYV3F0PMxB8
iImoOD1BY0lS3x0gqgeZb5ssBk988aVq1cmbrUuriHuKLK/uvSaFHlGXprQyQmTn
4FEFmMNTCSMbYy3J2daEajUroiZVcBEjORPFR8QYtncRgbzB6u/AjVIo+3Uk/0hj
paC8dvBikmT7ity3b7YoOvJIJn62XVqrq9srkYowkDuLJ1E8zQqmR2eZUOmf5vG1
u3zAXa3xup1ginA9Wi6O
=UI84
-----END PGP SIGNATURE-----

127
share/security/advisories/FreeBSD-EN-14:04.kldxref.asc Normal file
View file

@ -0,0 +1,127 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:04.kldxref Errata Notice
The FreeBSD Project
Topic: Build repeatability for kldxref(8)
Category: core
Module: kldxref
Announced: 2014-05-13
Credits: Jilles Tjoelker
Affects: All versions of FreeBSD prior to 10.0-RELEASE.
Corrected: 2014-05-13 23:35:29 UTC (stable/8, 8.4-STABLE)
2014-05-13 23:24:32 UTC (releng/8.4, 8.4-RELEASE-p10)
2013-12-23 22:38:41 UTC (stable/9, 9.2-STABLE)
2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6)
2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The kldxref utility is used to generate hint files which list modules, their
version numbers, and the files that contain them. These hints are used by
the kernel loader to determine where to find a particular KLD module.
II. Problem Description
Previous versions of kldxref(8) do not use an ordered list of files when
generating the hints file. The result of kldxref(8) is equivalent but not
the same if file system layout have been changed.
III. Impact
The generated hint files can be different across different builds, making
unnecessary downloads for binary patch files.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/EN-14:04/kldxref.patch
# fetch http://security.FreeBSD.org/patches/EN-14:04/kldxref.patch.asc
# gpg --verify kldxref.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
3) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r265990
releng/8.4/ r265989
stable/9/ r259799
releng/9.1/ r265988
releng/9.2/ r265988
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:04.kldxref.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnmPgP/iPAKX2lIGwRXkrYFbNPEBSz
+Tehkgw/ReNG0iaAJql/p0LrxyGUoCwE2rpTJxxC8KB9X8Eq74DhjSNpdYaE12E2
YFMyIyAb1b6wqU34Q7DsR9oPhqIcb9yET2dEg+s5NVSWfC7AMWdvvaJjjxtLgG4L
M9yksDAKs3AJOHEVEtluy7Do8A5W/6b5SHXENbG+AUUBtwnDBKcs9riXic/TQ1WB
vJzHwAJVznQ03bnxqjuG+gZoej6xUHusX+ih87ioKiJrcZ/5szq2C6LIUnRnAA66
6b/szBJ3gRBweOKeopESIcZfwaLCd53EX9/r9vqAfXK6+3uqoIXzkZCyzo+cgSwa
+88SmZ3/4dao24JPoLbVupIyU0CJjmoLsV9jVCrC/fbkUFTxq7Cgbxeai3rmrpXC
p11FXPJd4cOgwuQYUw3rowtoq8z8Wn3PI073SzwT2OZg4SgXRUn+FzGpMWwqbWoa
1idQ9KSM/pFkoa7bdK5S7mYtp7jU9HQeiTXZYYF1S3URr2XpE1vyUFVOuDJpGkkW
KIT/hdy02wGzPPGjQoFkSR2KpUmJr2zHhVSUdt7a8vvYhbZBR21sBIUNKSoWkYtC
2CQXF4pFBHO/i79RiEU+2E1CKWpsqoHnvnKNRq3Bp54aaU9xa4YcRwRJ7lj9RALm
+igNrZJMo3yw3gs89uGp
=W4to
-----END PGP SIGNATURE-----

127
share/security/advisories/FreeBSD-EN-14:05.ciss.asc Normal file
View file

@ -0,0 +1,127 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:05.ciss Errata Notice
The FreeBSD Project
Topic: data corruption with ciss(4)
Category: core
Module: ciss
Announced: 2014-05-13
Credits: Sean Bruno
Affects: FreeBSD 10.x and FreeBSD 9.x
Corrected: 2014-04-15 17:52:22 UTC (stable/9, 9.2-STABLE)
2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6)
2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13)
2014-04-15 17:49:47 UTC (stable/10, 10.0-STABLE)
2014-05-13 23:22:28 UTC (releng/10.0, 10.0-RELEASE-p3)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The ciss driver supports HP Smart Array line of hardware RAID controllers.
II. Problem Description
There is a programming error discovered in the ciss(4) driver, where a missing
lock can trigger a failed assertion when the volume state changes, such as
disk failure or a disk rebuild.
III. Impact
Systems using the ciss(4) driver may experience system crashes or data
corruption when the volume state change.
IV. Workaround
No workaround is available, but systems that do not use ciss(4) devices are
not affected.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/EN-14:05/ciss.patch
# fetch http://security.FreeBSD.org/patches/EN-14:05/ciss.patch.asc
# gpg --verify ciss-10.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r264511
releng/9.1/ r265988
releng/9.2/ r265988
stable/10/ r264510
releng/10.0/ r265987
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:05.ciss.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnNqAQAJCfdCBubWSDRO/dsSaqK6yT
bnPY4Xly523ABRCQySe0vajSIK1qqfE0bAmhYa/7BTMqyJKz0BRhx819D8SiWNS9
Hdy4yU/hOjBkbT6KAtpBaSUNXX4ODWaNbd78c+uDSvj9UeQgrunAQC7OJR6iYWuq
25fBUXgovSr4g9puNyBs8sH+c7IzbG4HvhoPrjRDwdasEyCBzx6RggpnxusfVsd9
91Eg/WPG3hIJW6kaHOWWeVwz4vCRZjv0u7myeJBcAa7gcwDX/J2DHeDrG60O3BNY
/fZT2UcfDxE0rEVuVnV3Vc0XkIQjuNk7G9SkGjH4Zdx+I34UT05cxU5ZrdpKNiGL
fjbo4H/KBML4agRGAPzeo3KU3rxOUmss+mh7Mu+CVoZP5uQUr1sEUkfQ+FkJjjbv
es47Ij6ZmfGyUPuVKVCW34bXm6Ieyc0QZ10kRv8paOmPsWBA+WYWGibEhvwp5v0p
AHdlGGO/FpOac4h/YEqOh6ryN8QldjCI+SCqkfs38DjeTX5IWecgax586oH7BpJm
RGc/fgx3YSO8tmMaTwKZm5VVlujsld6t95XrA2dGWOhiWcRsoWGs+SaUTNf5Y0Te
k2vD7tMsk37PG4jbp7pk4FH2Mfb9KRHe82ebdOnkOj4C5kWIB8FwYJyMIjDl3C4r
OdXZDrbyKh/swjJZJIuP
=orSF
-----END PGP SIGNATURE-----

140
share/security/advisories/FreeBSD-SA-14:10.openssl.asc Normal file
View file

@ -0,0 +1,140 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:10.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL NULL pointer deference vulnerability
Category: contrib
Module: openssl
Announced: 2014-05-13
Affects: FreeBSD 10.x.
Corrected: 2014-05-13 23:19:16 UTC (stable/10, 10.0-STABLE)
2014-05-13 23:22:28 UTC (releng/10.0, 10.0-RELEASE-p3)
CVE Name: CVE-2014-0198
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
The TLS protocol supports an alert protocol which can be used to signal the
other party with certain failures in the protocol context that may require
immediate termination of the connection.
II. Problem Description
An attacker can trigger generation of an SSL alert which could cause a null
pointer deference.
III. Impact
An attacker may be able to cause a service process that uses OpenSSL to crash,
which can be used in a denial-of-service attack.
IV. Workaround
No workaround is available, but systems that do not use OpenSSL to implement
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process
to handle multiple SSL connections, are not vulnerable.
The FreeBSD base system service daemons and utilities do not use the
SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this
mode to reduce their memory footprint and may therefore be affected by this
issue.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch.asc
# gpg --verify openssl.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r265986
releng/10.0/ r265987
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig>
<URL:https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:10.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnNb4QAODp1Pxk3GlTwlptWQkC+DJb
bwd2RRtkvkz677JIbdtyM7b5POgUih/NtAF9Yyy/pg8IJcSRiv0f7F5L+maV9nee
KGb27zizWOgIqor6HhRAv2OniVN271OfoyCkt0xRmigBR6dQ80iBVuCk6McvxvjL
5Yfw8wtfF8zAo5p1d4V3EEPOIVPwgJ31YnB/sVv+SyV6Ldl5DS0Gp1Cm9KjvaJUI
CUIljIaH6AFuzs671V4DpuFPtFPIsvGUhEdpf6+ypVJN1J/D+BNRvoIX1zxou4Kf
34qB6cs/LlyBKCPctK/qLU7UScNsuUItpWrw5ESHFHdgsTr8XA9POxU72wlCRCoQ
T2A6zIqPQRgCWfrPnmJNwLN9riMQGc2oFBXd19iITyc8/7OcXAFnzIy+zu++jZp6
rMwGIUCg5UKkSGVWnoYyS/1SQRYqi4MzUqC/AwpQHKoE5CqUzVCJ7zGTFcsie0o4
wfWoFlkgbNl0Attn4HLuXncjvGVCMeWqUERKBU7xIxC1D5PKXF5QmCUqlZrddBaw
ATIFsPEopu2bX/+sbgcGKSF5WAWwdT92vIgarjW3UkKDYihRNKusrOwp3sue7Iw+
QIweOaJLqpSnfQ3me62I3fWYjRwceeASeTx7dYdxrK1Dx5DnlN8gGwwhl/7cvoWe
Xm6DqYXeQRsIxZ7Ng/PO
=4EYM
-----END PGP SIGNATURE-----