os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add the latest advisory and 3 new errata notices:

Browse source 
Fix OpenSSL NULL pointer deference vulnerability. [SA-14:09]

  Add pkg bootstrapping, configuration and public keys. [EN-14:03]
  Improve build repeatability for kldxref(8). [EN-14:04]
  Fix data corruption with ciss(4). [EN-14:05]
This commit is contained in:
Xin LI 2014-05-13 23:55:52 +00:00
parent 1acb4e9347
commit 6705d61482
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44822
18 changed files with 1511 additions and 0 deletions

180
share/security/advisories/FreeBSD-EN-14:03.pkg.asc Normal file
View file

@ -0,0 +1,180 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:03.pkg Errata Notice
The FreeBSD Project
Topic: pkg bootstrapping, configuration and public keys
Category: core, packages
Module: pkg
Announced: 2014-05-13
Credits: Baptiste Daroussin, Bryan Drewery
Affects: All versions of FreeBSD prior to 10.0-RELEASE
Corrected: 2014-04-15 23:40:47 UTC (stable/8, 8.4-STABLE)
2014-05-13 23:24:32 UTC (releng/8.4, 8.4-RELEASE-p10)
2014-03-11 14:48:44 UTC (stable/9, 9.2-STABLE)
2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6)
2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The pkg(7) utility is the new package management tool for FreeBSD. The
FreeBSD project has provided official pkg(7) packages since October 2013
and signed packages since the pkg-1.2 release in November 2013. The
signature checking requires known public keys to be installed locally.
The repository configuration must be installed as well.
The base system also includes a pkg(7) bootstrap tool that installs the
latest real pkg(7) package. The bootstrap tool knows where to find the
official pkg(7) package but once that is installed the real pkg(7) will
not know where to find official packages, nor have the known public key
for signature checking.
The bootstrap tool was also improved in 10.0-RELEASE to check the
signature on the pkg(7) package it is installing.
II. Problem Description
Only FreeBSD 10.0 has been released with the official repository
configuration, known public keys, and a bootstrap tool that checks the
signature of the pkg(7) package it is installing.
To allow packages to be used on a system, the configuration must be
manually setup and keys securely fetched and installed to the proper
location.
III. Impact
Releases before 10.0 require manual configuration. Manually configuring the
pkg(7) signatures could result in insecurely installing the keys or leaving
the signature checking disabled.
The bootstrap tool is not secure on releases prior to 10.0 due to not checking
the signature and could result in having an unofficial pkg(7) installed due to
MITM attacks.
IV. Workaround
To securely install pkg(7) on releases prior to 10.0, install it from ports
obtained from a secure portsnap checkout:
# portsnap fetch extract
# echo "WITH_PKGNG=yes" >> /etc/make.conf
# make -C /usr/ports/ports-mgmt/pkg install clean
If this is an existing system it may be converted to pkg(7) as well by running:
# pkg2ng
After this is done /usr/ports may be removed if no longer required.
To workaround the configuration and keys being missed, apply the solution in
this Errata.
V. Solution
No solution is provided for pkg(7) bootstrap signature checking on releases prior
to 10.0. Upgrading to 10.0 or stable/9 after r263038 will suffice.
To install the configuration and public key in a secure means, perform one of
the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.2]
# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.2.patch
# fetch http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.2.patch.asc
# gpg --verify pkg-en-releng-9.2.patch.asc
[FreeBSD 9.1]
# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.1.patch
# fetch http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.1.patch.asc
# gpg --verify pkg-en-releng-9.1.patch.asc
[FreeBSD 8.4]
# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch
# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch.asc
# gpg --verify pkg-en-releng-8.4.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/etc/pkg
# mkdir -p /etc/pkg /usr/share/keys/pkg/trusted /usr/share/keys/pkg/revoked
# make install
# cd /usr/src/share/keys/pkg
# make install
3) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r264519
releng/8.4/ r265989
stable/9/ r263937 (*)
releng/9.1/ r265988
releng/9.2/ r265988
- -------------------------------------------------------------------------
(*) The actual required changeset consists a series of changes, including
r263023,r258550,r263050,r263053 and r263937.
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:03.pkg.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnPgsP/i1EV9g4qXg9v6HvakiFFKrv
51810uJe/Eo9iujDT1TpwuYJuFQPzkW+h4JRvapaSLAMxeLsYqxj8WDuKz0eU6sW
WjaPv6LZWUG91jHbFr3uEAgLLvkc86kMI/hfSmzq5FY7gsisEKoyfdraR2E63jtp
BFARxAq9hnddck5zZiX7wCOMtvCVrvrSsozft1p885AUra+Tg9F1RuUloS0CYddD
FtUb1dPMshkHlqHqC1wGzRfBVFgX7NnXfnxIi2St1ft0tEDKIL+HQgnjU2CwKbK7
S9ioLYbbUhyo6edpS/4+y5gJ1kVLvlelY4myBHUkSOMJrsxoIBCTuXjdnO9PL5gr
qpS9R6TQEMF5auEG5aIOwfu5t8wqczAfC4zVzbm4UPakRYPFS0NfvkDGW2Gno7Yh
iOur/JFLUOqbV9i8UwssS8OzG0cr8EzbZ3iLkVPqt1Cxuxxpx8+NYiYV3F0PMxB8
iImoOD1BY0lS3x0gqgeZb5ssBk988aVq1cmbrUuriHuKLK/uvSaFHlGXprQyQmTn
4FEFmMNTCSMbYy3J2daEajUroiZVcBEjORPFR8QYtncRgbzB6u/AjVIo+3Uk/0hj
paC8dvBikmT7ity3b7YoOvJIJn62XVqrq9srkYowkDuLJ1E8zQqmR2eZUOmf5vG1
u3zAXa3xup1ginA9Wi6O
=UI84
-----END PGP SIGNATURE-----

127
share/security/advisories/FreeBSD-EN-14:04.kldxref.asc Normal file
View file

@ -0,0 +1,127 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:04.kldxref Errata Notice
The FreeBSD Project
Topic: Build repeatability for kldxref(8)
Category: core
Module: kldxref
Announced: 2014-05-13
Credits: Jilles Tjoelker
Affects: All versions of FreeBSD prior to 10.0-RELEASE.
Corrected: 2014-05-13 23:35:29 UTC (stable/8, 8.4-STABLE)
2014-05-13 23:24:32 UTC (releng/8.4, 8.4-RELEASE-p10)
2013-12-23 22:38:41 UTC (stable/9, 9.2-STABLE)
2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6)
2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The kldxref utility is used to generate hint files which list modules, their
version numbers, and the files that contain them. These hints are used by
the kernel loader to determine where to find a particular KLD module.
II. Problem Description
Previous versions of kldxref(8) do not use an ordered list of files when
generating the hints file. The result of kldxref(8) is equivalent but not
the same if file system layout have been changed.
III. Impact
The generated hint files can be different across different builds, making
unnecessary downloads for binary patch files.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/EN-14:04/kldxref.patch
# fetch http://security.FreeBSD.org/patches/EN-14:04/kldxref.patch.asc
# gpg --verify kldxref.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
3) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r265990
releng/8.4/ r265989
stable/9/ r259799
releng/9.1/ r265988
releng/9.2/ r265988
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:04.kldxref.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnmPgP/iPAKX2lIGwRXkrYFbNPEBSz
+Tehkgw/ReNG0iaAJql/p0LrxyGUoCwE2rpTJxxC8KB9X8Eq74DhjSNpdYaE12E2
YFMyIyAb1b6wqU34Q7DsR9oPhqIcb9yET2dEg+s5NVSWfC7AMWdvvaJjjxtLgG4L
M9yksDAKs3AJOHEVEtluy7Do8A5W/6b5SHXENbG+AUUBtwnDBKcs9riXic/TQ1WB
vJzHwAJVznQ03bnxqjuG+gZoej6xUHusX+ih87ioKiJrcZ/5szq2C6LIUnRnAA66
6b/szBJ3gRBweOKeopESIcZfwaLCd53EX9/r9vqAfXK6+3uqoIXzkZCyzo+cgSwa
+88SmZ3/4dao24JPoLbVupIyU0CJjmoLsV9jVCrC/fbkUFTxq7Cgbxeai3rmrpXC
p11FXPJd4cOgwuQYUw3rowtoq8z8Wn3PI073SzwT2OZg4SgXRUn+FzGpMWwqbWoa
1idQ9KSM/pFkoa7bdK5S7mYtp7jU9HQeiTXZYYF1S3URr2XpE1vyUFVOuDJpGkkW
KIT/hdy02wGzPPGjQoFkSR2KpUmJr2zHhVSUdt7a8vvYhbZBR21sBIUNKSoWkYtC
2CQXF4pFBHO/i79RiEU+2E1CKWpsqoHnvnKNRq3Bp54aaU9xa4YcRwRJ7lj9RALm
+igNrZJMo3yw3gs89uGp
=W4to
-----END PGP SIGNATURE-----

127
share/security/advisories/FreeBSD-EN-14:05.ciss.asc Normal file
View file

@ -0,0 +1,127 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:05.ciss Errata Notice
The FreeBSD Project
Topic: data corruption with ciss(4)
Category: core
Module: ciss
Announced: 2014-05-13
Credits: Sean Bruno
Affects: FreeBSD 10.x and FreeBSD 9.x
Corrected: 2014-04-15 17:52:22 UTC (stable/9, 9.2-STABLE)
2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6)
2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13)
2014-04-15 17:49:47 UTC (stable/10, 10.0-STABLE)
2014-05-13 23:22:28 UTC (releng/10.0, 10.0-RELEASE-p3)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The ciss driver supports HP Smart Array line of hardware RAID controllers.
II. Problem Description
There is a programming error discovered in the ciss(4) driver, where a missing
lock can trigger a failed assertion when the volume state changes, such as
disk failure or a disk rebuild.
III. Impact
Systems using the ciss(4) driver may experience system crashes or data
corruption when the volume state change.
IV. Workaround
No workaround is available, but systems that do not use ciss(4) devices are
not affected.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/EN-14:05/ciss.patch
# fetch http://security.FreeBSD.org/patches/EN-14:05/ciss.patch.asc
# gpg --verify ciss-10.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r264511
releng/9.1/ r265988
releng/9.2/ r265988
stable/10/ r264510
releng/10.0/ r265987
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:05.ciss.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnNqAQAJCfdCBubWSDRO/dsSaqK6yT
bnPY4Xly523ABRCQySe0vajSIK1qqfE0bAmhYa/7BTMqyJKz0BRhx819D8SiWNS9
Hdy4yU/hOjBkbT6KAtpBaSUNXX4ODWaNbd78c+uDSvj9UeQgrunAQC7OJR6iYWuq
25fBUXgovSr4g9puNyBs8sH+c7IzbG4HvhoPrjRDwdasEyCBzx6RggpnxusfVsd9
91Eg/WPG3hIJW6kaHOWWeVwz4vCRZjv0u7myeJBcAa7gcwDX/J2DHeDrG60O3BNY
/fZT2UcfDxE0rEVuVnV3Vc0XkIQjuNk7G9SkGjH4Zdx+I34UT05cxU5ZrdpKNiGL
fjbo4H/KBML4agRGAPzeo3KU3rxOUmss+mh7Mu+CVoZP5uQUr1sEUkfQ+FkJjjbv
es47Ij6ZmfGyUPuVKVCW34bXm6Ieyc0QZ10kRv8paOmPsWBA+WYWGibEhvwp5v0p
AHdlGGO/FpOac4h/YEqOh6ryN8QldjCI+SCqkfs38DjeTX5IWecgax586oH7BpJm
RGc/fgx3YSO8tmMaTwKZm5VVlujsld6t95XrA2dGWOhiWcRsoWGs+SaUTNf5Y0Te
k2vD7tMsk37PG4jbp7pk4FH2Mfb9KRHe82ebdOnkOj4C5kWIB8FwYJyMIjDl3C4r
OdXZDrbyKh/swjJZJIuP
=orSF
-----END PGP SIGNATURE-----

140
share/security/advisories/FreeBSD-SA-14:10.openssl.asc Normal file
View file

@ -0,0 +1,140 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:10.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL NULL pointer deference vulnerability
Category: contrib
Module: openssl
Announced: 2014-05-13
Affects: FreeBSD 10.x.
Corrected: 2014-05-13 23:19:16 UTC (stable/10, 10.0-STABLE)
2014-05-13 23:22:28 UTC (releng/10.0, 10.0-RELEASE-p3)
CVE Name: CVE-2014-0198
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
The TLS protocol supports an alert protocol which can be used to signal the
other party with certain failures in the protocol context that may require
immediate termination of the connection.
II. Problem Description
An attacker can trigger generation of an SSL alert which could cause a null
pointer deference.
III. Impact
An attacker may be able to cause a service process that uses OpenSSL to crash,
which can be used in a denial-of-service attack.
IV. Workaround
No workaround is available, but systems that do not use OpenSSL to implement
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process
to handle multiple SSL connections, are not vulnerable.
The FreeBSD base system service daemons and utilities do not use the
SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this
mode to reduce their memory footprint and may therefore be affected by this
issue.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch.asc
# gpg --verify openssl.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r265986
releng/10.0/ r265987
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig>
<URL:https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:10.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnNb4QAODp1Pxk3GlTwlptWQkC+DJb
bwd2RRtkvkz677JIbdtyM7b5POgUih/NtAF9Yyy/pg8IJcSRiv0f7F5L+maV9nee
KGb27zizWOgIqor6HhRAv2OniVN271OfoyCkt0xRmigBR6dQ80iBVuCk6McvxvjL
5Yfw8wtfF8zAo5p1d4V3EEPOIVPwgJ31YnB/sVv+SyV6Ldl5DS0Gp1Cm9KjvaJUI
CUIljIaH6AFuzs671V4DpuFPtFPIsvGUhEdpf6+ypVJN1J/D+BNRvoIX1zxou4Kf
34qB6cs/LlyBKCPctK/qLU7UScNsuUItpWrw5ESHFHdgsTr8XA9POxU72wlCRCoQ
T2A6zIqPQRgCWfrPnmJNwLN9riMQGc2oFBXd19iITyc8/7OcXAFnzIy+zu++jZp6
rMwGIUCg5UKkSGVWnoYyS/1SQRYqi4MzUqC/AwpQHKoE5CqUzVCJ7zGTFcsie0o4
wfWoFlkgbNl0Attn4HLuXncjvGVCMeWqUERKBU7xIxC1D5PKXF5QmCUqlZrddBaw
ATIFsPEopu2bX/+sbgcGKSF5WAWwdT92vIgarjW3UkKDYihRNKusrOwp3sue7Iw+
QIweOaJLqpSnfQ3me62I3fWYjRwceeASeTx7dYdxrK1Dx5DnlN8gGwwhl/7cvoWe
Xm6DqYXeQRsIxZ7Ng/PO
=4EYM
-----END PGP SIGNATURE-----

232
share/security/patches/EN-14:03/pkg-en-releng-8.4.patch Normal file
View file

@ -0,0 +1,232 @@
Index: etc/Makefile
===================================================================
--- etc/Makefile (revision 265457)
+++ etc/Makefile (working copy)
@@ -172,6 +172,7 @@ distribution:
${_+_}cd ${.CURDIR}/devd; ${MAKE} install
${_+_}cd ${.CURDIR}/gss; ${MAKE} install
${_+_}cd ${.CURDIR}/periodic; ${MAKE} install
+ ${_+_}cd ${.CURDIR}/pkg; ${MAKE} install
${_+_}cd ${.CURDIR}/rc.d; ${MAKE} install
${_+_}cd ${.CURDIR}/../gnu/usr.bin/send-pr; ${MAKE} etc-gnats-freefall
${_+_}cd ${.CURDIR}/../share/termcap; ${MAKE} etc-termcap
Index: etc/mtree/BSD.root.dist
===================================================================
--- etc/mtree/BSD.root.dist (revision 265457)
+++ etc/mtree/BSD.root.dist (working copy)
@@ -52,6 +52,8 @@
weekly
..
..
+ pkg
+ ..
ppp
..
rc.d
Index: etc/mtree/BSD.usr.dist
===================================================================
--- etc/mtree/BSD.usr.dist (revision 265457)
+++ etc/mtree/BSD.usr.dist (working copy)
@@ -340,6 +340,14 @@
..
info
..
+ keys
+ pkg
+ revoked
+ ..
+ trusted
+ ..
+ ..
+ ..
locale
UTF-8
..
Index: etc/pkg/FreeBSD.conf
===================================================================
--- etc/pkg/FreeBSD.conf (revision 0)
+++ etc/pkg/FreeBSD.conf (working copy)
@@ -0,0 +1,16 @@
+# $FreeBSD$
+#
+# To disable this repository, instead of modifying or removing this file,
+# create a /usr/local/etc/pkg/repos/FreeBSD.conf file:
+#
+# mkdir -p /usr/local/etc/pkg/repos
+# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf
+#
+
+FreeBSD: {
+ url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
+ mirror_type: "srv",
+ signature_type: "fingerprints",
+ fingerprints: "/usr/share/keys/pkg",
+ enabled: yes
+}
Index: etc/pkg/Makefile
===================================================================
--- etc/pkg/Makefile (revision 0)
+++ etc/pkg/Makefile (working copy)
@@ -0,0 +1,10 @@
+# $FreeBSD$
+
+NO_OBJ=
+
+FILES= FreeBSD.conf
+
+FILESDIR= /etc/pkg
+FILESMODE= 644
+
+.include <bsd.prog.mk>
Index: share/Makefile
===================================================================
--- share/Makefile (revision 265457)
+++ share/Makefile (working copy)
@@ -9,6 +9,7 @@ SUBDIR= ${_colldef} \
${_dict} \
${_doc} \
${_examples} \
+ keys \
${_man} \
${_me} \
misc \
Index: share/keys/Makefile
===================================================================
--- share/keys/Makefile (revision 0)
+++ share/keys/Makefile (working copy)
@@ -0,0 +1,5 @@
+# $FreeBSD$
+
+SUBDIR= pkg
+
+.include <bsd.subdir.mk>
Index: share/keys/pkg/Makefile
===================================================================
--- share/keys/pkg/Makefile (revision 0)
+++ share/keys/pkg/Makefile (working copy)
@@ -0,0 +1,5 @@
+# $FreeBSD$
+
+SUBDIR= trusted
+
+.include <bsd.subdir.mk>
Index: share/keys/pkg/trusted/Makefile
===================================================================
--- share/keys/pkg/trusted/Makefile (revision 0)
+++ share/keys/pkg/trusted/Makefile (working copy)
@@ -0,0 +1,10 @@
+# $FreeBSD$
+
+NO_OBJ=
+
+FILES= pkg.freebsd.org.2013102301
+
+FILESDIR= /usr/share/keys/pkg/trusted
+FILESMODE= 644
+
+.include <bsd.prog.mk>
Index: share/keys/pkg/trusted/pkg.freebsd.org.2013102301
===================================================================
--- share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (revision 0)
+++ share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (working copy)
@@ -0,0 +1,4 @@
+# $FreeBSD$
+
+function: "sha256"
+fingerprint: "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438"
Index: share/man/man7/hier.7
===================================================================
--- share/man/man7/hier.7 (revision 265457)
+++ share/man/man7/hier.7 (working copy)
@@ -32,7 +32,7 @@
.\" @(#)hier.7 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
-.Dd May 25, 2008
+.Dd October 29, 2013
.Dt HIER 7
.Os
.Sh NAME
@@ -546,6 +546,16 @@ ASCII text files used by various games
device description file for device name
.It Pa info/
GNU Info hypertext system
+.It Pa keys/
+known trusted and revoked keys.
+.Bl -tag -width ".Pa keys/pkg/" -compact
+.It Pa keys/pkg/
+fingerprints for
+.Xr pkg 7
+and
+.Xr pkg 8
+.El
+.Pp
.It Pa locale/
localization files;
see
Index: usr.sbin/pkg/pkg.c
===================================================================
--- usr.sbin/pkg/pkg.c (revision 265457)
+++ usr.sbin/pkg/pkg.c (working copy)
@@ -284,13 +284,10 @@ bootstrap_pkg(void)
{
struct url *u;
FILE *remote;
- FILE *config;
- char *site;
struct dns_srvinfo *mirrors, *current;
/* To store _https._tcp. + hostname + \0 */
char zone[MAXHOSTNAMELEN + 13];
char url[MAXPATHLEN];
- char conf[MAXPATHLEN];
char abi[BUFSIZ];
char tmppkg[MAXPATHLEN];
char buf[10240];
@@ -306,7 +303,6 @@ bootstrap_pkg(void)
max_retry = 3;
ret = -1;
remote = NULL;
- config = NULL;
current = mirrors = NULL;
printf("Bootstrapping pkg please wait\n");
@@ -387,26 +383,6 @@ bootstrap_pkg(void)
if ((ret = extract_pkg_static(fd, pkgstatic, MAXPATHLEN)) == 0)
ret = install_pkg_static(pkgstatic, tmppkg);
- snprintf(conf, MAXPATHLEN, "%s/etc/pkg.conf",
- getenv("LOCALBASE") ? getenv("LOCALBASE") : _LOCALBASE);
-
- if (access(conf, R_OK) == -1) {
- site = strrchr(url, '/');
- if (site == NULL)
- goto cleanup;
- site[0] = '\0';
- site = strrchr(url, '/');
- if (site == NULL)
- goto cleanup;
- site[0] = '\0';
-
- config = fopen(conf, "w+");
- if (config == NULL)
- goto cleanup;
- fprintf(config, "packagesite: %s\n", url);
- fclose(config);
- }
-
goto cleanup;
fetchfail:
@@ -423,7 +399,11 @@ cleanup:
static const char confirmation_message[] =
"The package management tool is not yet installed on your system.\n"
-"Do you want to fetch and install it now? [y/N]: ";
+"The mechanism for doing this is not secure on FreeBSD 8. To securely install\n"
+"pkg(8), use ports from a portsnap checkout:\n"
+" # portsnap fetch extract\n"
+" # make -C /usr/ports/ports-mgmt/pkg install clean\n"
+"Do you still want to fetch and install it now? [y/N]: ";
static int
pkg_query_yes_no(void)

17
share/security/patches/EN-14:03/pkg-en-releng-8.4.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTcq56AAoJEO1n7NZdz2rn7uAP/Aj/qkmd/B1E5OcnVndzFdVV
wk7qiDIfo3SckWu0Mz3j45qKgZLYvPgnY4ensL8IuOT2RzLVj9PP9Bqy3aEZquPf
6kYCOGDI8B2wZm8o6aRYPlRAY97OvrEucGFWk6kQCCpak4HmntqvIBmaTqeZ7tKV
lohRBdVNBvYdO89IK3K4hbVReVP2D2qg6U6lZuj0RNLKjVTD8NtUqJMkwQQJTYK9
3BAsiqZM7QFo/E85aP11/Ox14SYov4VQ5zONl2OhshbL4dANrVUGZxh2/ecaN2pv
k+TGCHzd/o6fdopTawZTUqBLRt+Pbj5VCCVWqxszoA5xfIsLmFt9hNTGtzNnevVZ
WjKDba4nyzQoEwig58jbMIKV0eKjvOOmvOAK80EBd9gAOftcsNiFMIuDBkAy0z6j
1mHlQZJXcg4PjOgmzGgZjQrTOiwfGpsisbBnmOhMuBPhrglv7n5QCg5k91i8EBqQ
AWpTY+UcxuFKn2CkEjubppwxf9kqBvK7ClO8gpsJxERjCVPkop8hJfiw9EG+Jzkp
fp4pIeajT+Dj6pAS+Y64tjkClPVTDKEK0H2Ut3d44DO8RUrAgXSWwgqRWNeQQvcM
U4HIuY8+Qt4Ue8NECGYlpJ/RvsoKROiM0hcQH7auGOqsUkdr9k9kA4ICABy43SK6
KO7yxSd7x7hFFuUVMpV3
=pIs3
-----END PGP SIGNATURE-----

229
share/security/patches/EN-14:03/pkg-en-releng-9.1.patch Normal file
View file

@ -0,0 +1,229 @@
Index: etc/Makefile
===================================================================
--- etc/Makefile (revision 265457)
+++ etc/Makefile (working copy)
@@ -205,6 +205,7 @@ distribution:
${_+_}cd ${.CURDIR}/devd; ${MAKE} install
${_+_}cd ${.CURDIR}/gss; ${MAKE} install
${_+_}cd ${.CURDIR}/periodic; ${MAKE} install
+ ${_+_}cd ${.CURDIR}/pkg; ${MAKE} install
${_+_}cd ${.CURDIR}/rc.d; ${MAKE} install
${_+_}cd ${.CURDIR}/../gnu/usr.bin/send-pr; ${MAKE} etc-gnats-freefall
${_+_}cd ${.CURDIR}/../share/termcap; ${MAKE} etc-termcap
Index: etc/mtree/BSD.root.dist
===================================================================
--- etc/mtree/BSD.root.dist (revision 265457)
+++ etc/mtree/BSD.root.dist (working copy)
@@ -52,6 +52,8 @@
weekly
..
..
+ pkg
+ ..
ppp
..
rc.d
Index: etc/mtree/BSD.usr.dist
===================================================================
--- etc/mtree/BSD.usr.dist (revision 265457)
+++ etc/mtree/BSD.usr.dist (working copy)
@@ -398,6 +398,14 @@
..
..
..
+ keys
+ pkg
+ revoked
+ ..
+ trusted
+ ..
+ ..
+ ..
locale
UTF-8
..
Index: etc/pkg/FreeBSD.conf
===================================================================
--- etc/pkg/FreeBSD.conf (revision 0)
+++ etc/pkg/FreeBSD.conf (working copy)
@@ -0,0 +1,16 @@
+# $FreeBSD$
+#
+# To disable this repository, instead of modifying or removing this file,
+# create a /usr/local/etc/pkg/repos/FreeBSD.conf file:
+#
+# mkdir -p /usr/local/etc/pkg/repos
+# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf
+#
+
+FreeBSD: {
+ url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
+ mirror_type: "srv",
+ signature_type: "fingerprints",
+ fingerprints: "/usr/share/keys/pkg",
+ enabled: yes
+}
Index: etc/pkg/Makefile
===================================================================
--- etc/pkg/Makefile (revision 0)
+++ etc/pkg/Makefile (working copy)
@@ -0,0 +1,10 @@
+# $FreeBSD$
+
+NO_OBJ=
+
+FILES= FreeBSD.conf
+
+FILESDIR= /etc/pkg
+FILESMODE= 644
+
+.include <bsd.prog.mk>
Index: share/Makefile
===================================================================
--- share/Makefile (revision 265457)
+++ share/Makefile (working copy)
@@ -10,6 +10,7 @@ SUBDIR= ${_colldef} \
${_doc} \
${_examples} \
${_i18n} \
+ keys \
${_man} \
${_me} \
misc \
Index: share/keys/Makefile
===================================================================
--- share/keys/Makefile (revision 0)
+++ share/keys/Makefile (working copy)
@@ -0,0 +1,5 @@
+# $FreeBSD$
+
+SUBDIR= pkg
+
+.include <bsd.subdir.mk>
Index: share/keys/pkg/Makefile
===================================================================
--- share/keys/pkg/Makefile (revision 0)
+++ share/keys/pkg/Makefile (working copy)
@@ -0,0 +1,5 @@
+# $FreeBSD$
+
+SUBDIR= trusted
+
+.include <bsd.subdir.mk>
Index: share/keys/pkg/trusted/Makefile
===================================================================
--- share/keys/pkg/trusted/Makefile (revision 0)
+++ share/keys/pkg/trusted/Makefile (working copy)
@@ -0,0 +1,10 @@
+# $FreeBSD$
+
+NO_OBJ=
+
+FILES= pkg.freebsd.org.2013102301
+
+FILESDIR= /usr/share/keys/pkg/trusted
+FILESMODE= 644
+
+.include <bsd.prog.mk>
Index: share/keys/pkg/trusted/pkg.freebsd.org.2013102301
===================================================================
--- share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (revision 0)
+++ share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (working copy)
@@ -0,0 +1,4 @@
+# $FreeBSD$
+
+function: "sha256"
+fingerprint: "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438"
Index: share/man/man7/hier.7
===================================================================
--- share/man/man7/hier.7 (revision 265457)
+++ share/man/man7/hier.7 (working copy)
@@ -32,7 +32,7 @@
.\" @(#)hier.7 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
-.Dd May 25, 2008
+.Dd October 29, 2013
.Dt HIER 7
.Os
.Sh NAME
@@ -546,6 +546,16 @@ ASCII text files used by various games
device description file for device name
.It Pa info/
GNU Info hypertext system
+.It Pa keys/
+known trusted and revoked keys.
+.Bl -tag -width ".Pa keys/pkg/" -compact
+.It Pa keys/pkg/
+fingerprints for
+.Xr pkg 7
+and
+.Xr pkg 8
+.El
+.Pp
.It Pa locale/
localization files;
see
Index: usr.sbin/pkg/pkg.c
===================================================================
--- usr.sbin/pkg/pkg.c (revision 265457)
+++ usr.sbin/pkg/pkg.c (working copy)
@@ -282,10 +282,7 @@ static int
bootstrap_pkg(void)
{
FILE *remote;
- FILE *config;
- char *site;
char url[MAXPATHLEN];
- char conf[MAXPATHLEN];
char abi[BUFSIZ];
char tmppkg[MAXPATHLEN];
char buf[10240];
@@ -300,7 +297,6 @@ bootstrap_pkg(void)
last = 0;
ret = -1;
remote = NULL;
- config = NULL;
printf("Bootstrapping pkg please wait\n");
@@ -355,26 +351,6 @@ bootstrap_pkg(void)
if ((ret = extract_pkg_static(fd, pkgstatic, MAXPATHLEN)) == 0)
ret = install_pkg_static(pkgstatic, tmppkg);
- snprintf(conf, MAXPATHLEN, "%s/etc/pkg.conf",
- getenv("LOCALBASE") ? getenv("LOCALBASE") : _LOCALBASE);
-
- if (access(conf, R_OK) == -1) {
- site = strrchr(url, '/');
- if (site == NULL)
- goto cleanup;
- site[0] = '\0';
- site = strrchr(url, '/');
- if (site == NULL)
- goto cleanup;
- site[0] = '\0';
-
- config = fopen(conf, "w+");
- if (config == NULL)
- goto cleanup;
- fprintf(config, "packagesite: %s\n", url);
- fclose(config);
- }
-
goto cleanup;
fetchfail:
@@ -391,7 +367,11 @@ cleanup:
static const char confirmation_message[] =
"The package management tool is not yet installed on your system.\n"
-"Do you want to fetch and install it now? [y/N]: ";
+"The mechanism for doing this is not secure on FreeBSD 9.1. To securely install\n"
+"pkg(8), use ports from a portsnap checkout:\n"
+" # portsnap fetch extract\n"
+" # make -C /usr/ports/ports-mgmt/pkg install clean\n"
+"Do you still want to fetch and install it now? [y/N]: ";
static int
pkg_query_yes_no(void)

17
share/security/patches/EN-14:03/pkg-en-releng-9.1.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTcq56AAoJEO1n7NZdz2rnpMoP/0YInCSO2ibhMFgcpDF1fcWU
35grsxS6e/r5f1R51rWbYpATp3ha5IcFUkqw8BE0J5SG5AeVGBNQKLaTZojn1UII
PF/+oFJ+l8dwBHB1W+3BKyxKXABTB5/kuMsXdFCcTu0gY4nCqBuwRSC34WhA+5k6
wsED+2U/Nwye/nudJ/jIkC8r9pInCiNcc0JGTI4s6mbEeJUOoAutAFCSpXbOiwN7
CgdtlmKW8flLmjaB+rzg5FervM4y0zXUXPeuILHoWrC6Blq/EygVMxnFg29V4G/+
wo2tqKuYOQFpHI5sZOe4Ozo/sWEELwxZYC8SxWkvFT/3JGF64ZtjL0ETRq8yQcYX
HnlbMtD/oFmQdOHMzfvRNSH6ZrbmdJioTRZt1l35ifr56ivGqpoegAwKeZJu238g
KufmU6C3qsFY6lEnTewu3pv6+x9jUdNXCVzPq/LN7FrraPxkc++nV+0pXayAMMdl
EHgIbi2U4YCOueKvcAO8CiH7sJFqe1w5EUD2/SU7Pnl0uINxyyhlmEN10DJ7b3gJ
OJHfp40fJAntxPR847fwslRUxpSFPIURksgro4Izhycd8UDRcjBi4ETVyYlGSMCO
rXbSB9cnVtcClCCA5HFsLRHoqgNlvEozpSODm+9DS1t2ePNyJ8CCTobdiiwWcrVA
/itoWkjBq7mezniYtCMh
=fE9a
-----END PGP SIGNATURE-----

232
share/security/patches/EN-14:03/pkg-en-releng-9.2.patch Normal file
View file

@ -0,0 +1,232 @@
Index: etc/Makefile
===================================================================
--- etc/Makefile (revision 265457)
+++ etc/Makefile (working copy)
@@ -224,6 +224,7 @@ distribution:
${_+_}cd ${.CURDIR}/devd; ${MAKE} install
${_+_}cd ${.CURDIR}/gss; ${MAKE} install
${_+_}cd ${.CURDIR}/periodic; ${MAKE} install
+ ${_+_}cd ${.CURDIR}/pkg; ${MAKE} install
${_+_}cd ${.CURDIR}/rc.d; ${MAKE} install
${_+_}cd ${.CURDIR}/../gnu/usr.bin/send-pr; ${MAKE} etc-gnats-freefall
${_+_}cd ${.CURDIR}/../share/termcap; ${MAKE} etc-termcap
Index: etc/mtree/BSD.root.dist
===================================================================
--- etc/mtree/BSD.root.dist (revision 265457)
+++ etc/mtree/BSD.root.dist (working copy)
@@ -52,6 +52,8 @@
weekly
..
..
+ pkg
+ ..
ppp
..
rc.d
Index: etc/mtree/BSD.usr.dist
===================================================================
--- etc/mtree/BSD.usr.dist (revision 265457)
+++ etc/mtree/BSD.usr.dist (working copy)
@@ -402,6 +402,14 @@
..
..
..
+ keys
+ pkg
+ revoked
+ ..
+ trusted
+ ..
+ ..
+ ..
locale
UTF-8
..
Index: etc/pkg/FreeBSD.conf
===================================================================
--- etc/pkg/FreeBSD.conf (revision 0)
+++ etc/pkg/FreeBSD.conf (working copy)
@@ -0,0 +1,16 @@
+# $FreeBSD$
+#
+# To disable this repository, instead of modifying or removing this file,
+# create a /usr/local/etc/pkg/repos/FreeBSD.conf file:
+#
+# mkdir -p /usr/local/etc/pkg/repos
+# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf
+#
+
+FreeBSD: {
+ url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
+ mirror_type: "srv",
+ signature_type: "fingerprints",
+ fingerprints: "/usr/share/keys/pkg",
+ enabled: yes
+}
Index: etc/pkg/Makefile
===================================================================
--- etc/pkg/Makefile (revision 0)
+++ etc/pkg/Makefile (working copy)
@@ -0,0 +1,10 @@
+# $FreeBSD$
+
+NO_OBJ=
+
+FILES= FreeBSD.conf
+
+FILESDIR= /etc/pkg
+FILESMODE= 644
+
+.include <bsd.prog.mk>
Index: share/Makefile
===================================================================
--- share/Makefile (revision 265457)
+++ share/Makefile (working copy)
@@ -11,6 +11,7 @@ SUBDIR= ${_colldef} \
dtrace \
${_examples} \
${_i18n} \
+ keys \
${_man} \
${_me} \
misc \
Index: share/keys/Makefile
===================================================================
--- share/keys/Makefile (revision 0)
+++ share/keys/Makefile (working copy)
@@ -0,0 +1,5 @@
+# $FreeBSD$
+
+SUBDIR= pkg
+
+.include <bsd.subdir.mk>
Index: share/keys/pkg/Makefile
===================================================================
--- share/keys/pkg/Makefile (revision 0)
+++ share/keys/pkg/Makefile (working copy)
@@ -0,0 +1,5 @@
+# $FreeBSD$
+
+SUBDIR= trusted
+
+.include <bsd.subdir.mk>
Index: share/keys/pkg/trusted/Makefile
===================================================================
--- share/keys/pkg/trusted/Makefile (revision 0)
+++ share/keys/pkg/trusted/Makefile (working copy)
@@ -0,0 +1,10 @@
+# $FreeBSD$
+
+NO_OBJ=
+
+FILES= pkg.freebsd.org.2013102301
+
+FILESDIR= /usr/share/keys/pkg/trusted
+FILESMODE= 644
+
+.include <bsd.prog.mk>
Index: share/keys/pkg/trusted/pkg.freebsd.org.2013102301
===================================================================
--- share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (revision 0)
+++ share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (working copy)
@@ -0,0 +1,4 @@
+# $FreeBSD$
+
+function: "sha256"
+fingerprint: "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438"
Index: share/man/man7/hier.7
===================================================================
--- share/man/man7/hier.7 (revision 265457)
+++ share/man/man7/hier.7 (working copy)
@@ -32,7 +32,7 @@
.\" @(#)hier.7 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
-.Dd January 21, 2010
+.Dd October 29, 2013
.Dt HIER 7
.Os
.Sh NAME
@@ -546,6 +546,16 @@ ASCII text files used by various games
device description file for device name
.It Pa info/
GNU Info hypertext system
+.It Pa keys/
+known trusted and revoked keys.
+.Bl -tag -width ".Pa keys/pkg/" -compact
+.It Pa keys/pkg/
+fingerprints for
+.Xr pkg 7
+and
+.Xr pkg 8
+.El
+.Pp
.It Pa locale/
localization files;
see
Index: usr.sbin/pkg/pkg.c
===================================================================
--- usr.sbin/pkg/pkg.c (revision 265457)
+++ usr.sbin/pkg/pkg.c (working copy)
@@ -284,13 +284,10 @@ bootstrap_pkg(void)
{
struct url *u;
FILE *remote;
- FILE *config;
- char *site;
struct dns_srvinfo *mirrors, *current;
/* To store _https._tcp. + hostname + \0 */
char zone[MAXHOSTNAMELEN + 13];
char url[MAXPATHLEN];
- char conf[MAXPATHLEN];
char abi[BUFSIZ];
char tmppkg[MAXPATHLEN];
char buf[10240];
@@ -306,7 +303,6 @@ bootstrap_pkg(void)
max_retry = 3;
ret = -1;
remote = NULL;
- config = NULL;
current = mirrors = NULL;
printf("Bootstrapping pkg please wait\n");
@@ -387,26 +383,6 @@ bootstrap_pkg(void)
if ((ret = extract_pkg_static(fd, pkgstatic, MAXPATHLEN)) == 0)
ret = install_pkg_static(pkgstatic, tmppkg);
- snprintf(conf, MAXPATHLEN, "%s/etc/pkg.conf",
- getenv("LOCALBASE") ? getenv("LOCALBASE") : _LOCALBASE);
-
- if (access(conf, R_OK) == -1) {
- site = strrchr(url, '/');
- if (site == NULL)
- goto cleanup;
- site[0] = '\0';
- site = strrchr(url, '/');
- if (site == NULL)
- goto cleanup;
- site[0] = '\0';
-
- config = fopen(conf, "w+");
- if (config == NULL)
- goto cleanup;
- fprintf(config, "packagesite: %s\n", url);
- fclose(config);
- }
-
goto cleanup;
fetchfail:
@@ -423,7 +399,11 @@ cleanup:
static const char confirmation_message[] =
"The package management tool is not yet installed on your system.\n"
-"Do you want to fetch and install it now? [y/N]: ";
+"The mechanism for doing this is not secure on FreeBSD 9.2. To securely install\n"
+"pkg(8), use ports from a portsnap checkout:\n"
+" # portsnap fetch extract\n"
+" # make -C /usr/ports/ports-mgmt/pkg install clean\n"
+"Do you still want to fetch and install it now? [y/N]: ";
static int
pkg_query_yes_no(void)

17
share/security/patches/EN-14:03/pkg-en-releng-9.2.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTcq56AAoJEO1n7NZdz2rnr5YP/37fG1wkIUyrDvn3fZTMtx6W
G7Qroe8EqW+0eUgaOm2eIyBhdw9xpn7rT0I53gp7LRPn1hnBIjuP8FPhadyIrbUd
C3e4cwOZ0EOU0A91b2UuIeWrwN2qcwtkLEhlzbmn+v23+N9SgSWD9jNCnfRQhkhT
neJY7Yk2+C/+yQpcauKe1rwBUKAV/EPiIvbDZEW45zLsZ6lm9H4V6Hu2z0XkaT3w
EwYklJsaJjE0JI/PN8BVW4ChSHnGsiJJLdLqavHhMXau7sOlOQhkwJmsXpmv0HPL
GBKG9S05v0y+hH0RHrQnzt6iRXYa9EreW4SBp8OK+x0yC0GpKZYLLs9Gt/xOyjMi
a+Luul/LWshfnUfN0k74POcFddhZz1sKWx6nRv9+AOFn/I9dBaYJ2Ux4WExQs1JN
E17aRkQadbo/Z2Y//rt+URW9x9jvVx86karDk/CnwNPjgKvkGPFz64EQNciFvbUL
BkV6PLTBjigtP4DdaP00eF4qzC4QVrzUQs9d4+aJHpZZ24ZwtC5h/Y1pkPvJRBdx
CCxhR/JjFtjpF2owvIuYB9delHcfWaBlkKLGbLncBg0VkAhYK4Qjwmj2iEpCikcG
uglbHXs8yyqQAzPnYZF/2IoR2PqO2G1e32OFH18UyGPdD+JQlGNOBym63xKZcv3W
x0WIT9Ox4/plEyu+LU/H
=aYZ5
-----END PGP SIGNATURE-----

30
share/security/patches/EN-14:04/kldxref.patch Normal file
View file

@ -0,0 +1,30 @@
Index: usr.sbin/kldxref/kldxref.c
===================================================================
--- usr.sbin/kldxref/kldxref.c (revision 265111)
+++ usr.sbin/kldxref/kldxref.c (working copy)
@@ -274,6 +274,16 @@ usage(void)
exit(1);
}
+static int
+compare(const FTSENT *const *a, const FTSENT *const *b)
+{
+ if ((*a)->fts_info == FTS_D && (*b)->fts_info != FTS_D)
+ return 1;
+ if ((*a)->fts_info != FTS_D && (*b)->fts_info == FTS_D)
+ return -1;
+ return strcmp((*a)->fts_name, (*b)->fts_name);
+}
+
int
main(int argc, char *argv[])
{
@@ -315,7 +325,7 @@ main(int argc, char *argv[])
err(1, "%s", argv[0]);
}
- ftsp = fts_open(argv, fts_options, 0);
+ ftsp = fts_open(argv, fts_options, compare);
if (ftsp == NULL)
exit(1);

17
share/security/patches/EN-14:04/kldxref.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTcq56AAoJEO1n7NZdz2rnpNEP/0xBdG0G1LxUZFG+pZ7z95RG
Fgr2hg7m5iRoHd9x3LJ9PLfP6nZjRHUeLIxbPF5cUO1lQWHiHsInm6qZ+A7ufMPa
meGgkFtwH5rKTmvrHmmiajJObYq1cJzxwNZOZh2UHTH+mL+npj30F5JyUAUTVNpp
jTfAFGDjpI1nrl7SUZ0JAUE7SBNgSRHlWwx3BTrPbD0mYdKaob5RnVYxNoCZneEX
IePhmq+59yYlQfTvsuEUKPsfJH/IrPGrVpwH1jRSYQCQnoGj4voFsQJkZSPPqKyN
+/EeAPuAFEQgsNbQBVQA3wY7Jb0cY/07mqYiBODC/AT8c5jTyNv1U8mRyAllVUrQ
sofakJSA/G5a6NYY0OB6w2simRRwRdy/Z4lGrwchFYlOeVAMf5+9983cDT3Nl7HE
DVNJM8MVrMcb2yZ3lQA3DoLPw+NL5U7I1uQjll1VMeGd7I1JoeVRV5/sdmda/HXt
o5gUmvxg5WyO7+Da5ZMkbsWOkBtVhYQVUPL/3BOkHjRj3OHPns7tZcluOjluJpJA
ItKEqQ46955zVjb5k/BrNV4Vn1IABtEDzHYmf5VWbCaRbnmHLRbicIJkVcOqk8Ox
KGq3EbuK5z4+ngGm2XK5iMqel9Fxq5MTlGEBfxWDCZyblPwjr5I2Zmqy59c05cd8
eQI6u8f1Dda+tO/jQ9qT
=XTgH
-----END PGP SIGNATURE-----

65
share/security/patches/EN-14:05/ciss.patch Normal file
View file

@ -0,0 +1,65 @@
Index: sys/dev/ciss/ciss.c
===================================================================
--- sys/dev/ciss/ciss.c (revision 264510)
+++ sys/dev/ciss/ciss.c (revision 264511)
@@ -180,8 +180,6 @@
static void ciss_cam_poll(struct cam_sim *sim);
static void ciss_cam_complete(struct ciss_request *cr);
static void ciss_cam_complete_fixup(struct ciss_softc *sc, struct ccb_scsiio *csio);
-static struct cam_periph *ciss_find_periph(struct ciss_softc *sc,
- int bus, int target);
static int ciss_name_device(struct ciss_softc *sc, int bus, int target);
/* periodic status monitoring */
@@ -3398,27 +3396,6 @@
/********************************************************************************
- * Find a peripheral attached at (target)
- */
-static struct cam_periph *
-ciss_find_periph(struct ciss_softc *sc, int bus, int target)
-{
- struct cam_periph *periph;
- struct cam_path *path;
- int status;
-
- status = xpt_create_path(&path, NULL, cam_sim_path(sc->ciss_cam_sim[bus]),
- target, 0);
- if (status == CAM_REQ_CMP) {
- periph = cam_periph_find(path, NULL);
- xpt_free_path(path);
- } else {
- periph = NULL;
- }
- return(periph);
-}
-
-/********************************************************************************
* Name the device at (target)
*
* XXX is this strictly correct?
@@ -3427,12 +3404,22 @@
ciss_name_device(struct ciss_softc *sc, int bus, int target)
{
struct cam_periph *periph;
+ struct cam_path *path;
+ int status;
if (CISS_IS_PHYSICAL(bus))
return (0);
- if ((periph = ciss_find_periph(sc, bus, target)) != NULL) {
+
+ status = xpt_create_path(&path, NULL, cam_sim_path(sc->ciss_cam_sim[bus]),
+ target, 0);
+
+ if (status == CAM_REQ_CMP) {
+ mtx_lock(&sc->ciss_mtx);
+ periph = cam_periph_find(path, NULL);
sprintf(sc->ciss_logical[bus][target].cl_name, "%s%d",
periph->periph_name, periph->unit_number);
+ mtx_unlock(&sc->ciss_mtx);
+ xpt_free_path(path);
return(0);
}
sc->ciss_logical[bus][target].cl_name[0] = 0;

17
share/security/patches/EN-14:05/ciss.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTcq57AAoJEO1n7NZdz2rn6DgP/itRaA98D+sfQCMYuK3u5XiT
uDw1iKT3bio1f8/OrfwljpO0afDoJwEFpL89quG0BhIU89GcArqMk6cGa63N2/DI
PiTPss4g0MG4pVdEJEkO1JsqvK07ePTYH/7MaVFdJSQc6Q3N1EtmABFP0+xk3QPS
Gg9wRK0Bfl0ewawMsC0Bj2RQ6ltQaURFKogcCmDVDYRkn3j11b3CUcNrHlAlaM/3
5LMCExizLlKHzFYpQhahHxWHjEXEn0eDDbAFD9xU+d+GUCFiw+G09Lp56if0HgMy
RmVMVd7uP5slxpAbbRiTqhoa/qwAWx9rj8By6PudBxqxACVc81di6ADuqRhUrpTt
xZY/vVdDT8r8zX2kKDx8e/uWDo9nUQIZznYDvDSBzLjbIn0DLXajmiXKMz9pPzBx
+rl2LIwwmcdi75r03qugd+PQKWtdnOI7u3B5qKtS3Rxf3dAyIRwT35KHg4SwImjg
3GmRByHEOtdgV6huYoTAIvurYlzDLK/leZgnw7f1neIhLRhz3rpKE2kzMUEj6jom
/LzUqJVIOHOkrLztc314f4PdTn7L1rVIQuwIErybwOO6c1Xu3aSRuAF9K2tfD4VE
PAoLmD6PpqT1dc/7kmwY5wE4nrNU4ubqW8opFLPBCLH1Xk5pvniSUglxWJBDxK84
tDIyHPvRjdQ0mROo0cSZ
=lTSe
-----END PGP SIGNATURE-----

15
share/security/patches/SA-14:10/openssl.patch Normal file
View file

@ -0,0 +1,15 @@
Index: crypto/openssl/ssl/s3_pkt.c
===================================================================
--- crypto/openssl/ssl/s3_pkt.c (revision 265111)
+++ crypto/openssl/ssl/s3_pkt.c (working copy)
@@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int type, const u
if (i <= 0)
return(i);
/* if it went, fall through and send more stuff */
+ /* we may have released our buffer, so get it again */
+ if (wb->buf == NULL)
+ if (!ssl3_setup_write_buffer(s))
+ return -1;
}
if (len == 0 && !create_empty_fragment)

17
share/security/patches/SA-14:10/openssl.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTcq6MAAoJEO1n7NZdz2rnDAYP/3jlC66FjgMihCUB3tVByZjO
7aa2ChUYO0V5fiwOWdUxwz15iFH+PbIiRBCBsHADtIV63z6KMF56irEqGdKQJNRb
YCr/5ErcHH1xd/SXEqJLGVWl6ydYaUC++20PjhqTZvy3/T6y8/CVjCHa1+u37cQB
B8pPjs+umq/XXqdG3WSJabCGRrEdJVTgydhOpUHvg38mtz29y3odALdwJp4CK5Ml
JEocIIfpPwUTrsGITbF9ql4XcF/hFTqVZOcLJTt3VWfsYMR8Rd+EuQO1Cmzrfo6R
U50FXYibYtXUqM3N2ByH2JbTBXjI4uyPE5//Y4dnFYTQD1Vy+rKH6h9pXV2wKSlk
sMx0ibHrpBXJvrebVBB3lDJgmmUCxxUX87bpGafTFsk3BphhpV/Vq7Pgvtfz6hFa
ifzc7Iy2oNR05DRekG+fMa0UwBaZand4IVY6jqpBikW4OMaSOEjrV+uqV+MkfXLw
IRJEvVUbSfvwsSkBEhMvjTp/DUx6wNUGyXJ1931u7fTZlpQRp3sn2Zi+76U3B31l
6oEPmoYWbwytScwcrIL82rdBRziF0kuuf9f5dG11zTuMqlT+7HuF4iYkENfMwiuu
W69OfochdyqIPA2Nw5iIvg73Ozs/fyJOAIh5pIC5oL83O/Ea3FVFJeFAzkPWd2fA
SiGNEd12hER2Xx4Hkvi7
=qOXh
-----END PGP SIGNATURE-----

12
share/xml/advisories.xml
View file

@ -7,6 +7,18 @@
<year> <year>
<name>2014</name> <name>2014</name>
<month>
<name>5</name>
<day>
<name>13</name>
<advisory>
<name>FreeBSD-SA-14:09.openssl</name>
</advisory>
</day>
</month>
<month> <month>
<name>4</name> <name>4</name>

20
share/xml/notices.xml
View file

@ -7,6 +7,26 @@
<year> <year>
<name>2014</name> <name>2014</name>
<month>
<name>5</name>
<day>
<name>13</name>
<notice>
<name>FreeBSD-EN-14:03.pkg</name>
</notice>
<notice>
<name>FreeBSD-EN-14:04.kldxref</name>
</notice>
<notice>
<name>FreeBSD-EN-14:05.ciss</name>
</notice>
</day>
</month>
<month> <month>
<name>1</name> <name>1</name>