Add SA-15:21.amd64, SA-15:22.openssh, EN-15:14.ixgbe and EN-15:15.pkg.
This commit is contained in:
		
							parent
							
								
									a34f8cc55c
								
							
						
					
					
						commit
						9c7cd2396b
					
				
				
				Notes:
				
					svn2git
				
				2020-12-08 03:00:23 +00:00 
				
			
			svn path=/head/; revision=47309
					 14 changed files with 826 additions and 0 deletions
				
			
		
							
								
								
									
										121
									
								
								share/security/advisories/FreeBSD-EN-15:14.ixgbe.asc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										121
									
								
								share/security/advisories/FreeBSD-EN-15:14.ixgbe.asc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,121 @@ | |||
| -----BEGIN PGP SIGNED MESSAGE----- | ||||
| Hash: SHA512 | ||||
| 
 | ||||
| ============================================================================= | ||||
| FreeBSD-EN-15:14.ixgbe                                          Errata Notice | ||||
|                                                           The FreeBSD Project | ||||
| 
 | ||||
| Topic:          Disable ixgbe(4) flow-director support | ||||
| 
 | ||||
| Category:       core | ||||
| Module:         ixgbe | ||||
| Announced:      2015-08-25 | ||||
| Credits:        Marc De La Gueronniere (Verisign, Inc.) | ||||
| Affects:        FreeBSD 10.1 | ||||
| Corrected:      2014-10-11 22:10:39 UTC (stable/10, 10.1-STABLE) | ||||
|                 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19) | ||||
| 
 | ||||
| For general information regarding FreeBSD Errata Notices and Security | ||||
| Advisories, including descriptions of the fields above, security | ||||
| branches, and the following sections, please visit | ||||
| <URL:https://security.freebsd.org/>. | ||||
| 
 | ||||
| I.   Background | ||||
| 
 | ||||
| Flow director is an Intel technology to steer incoming packets in application | ||||
| aware fashion. | ||||
| 
 | ||||
| II.  Problem Description | ||||
| 
 | ||||
| Flow director support is not completely/correctly implemented in FreeBSD at | ||||
| this time. | ||||
| 
 | ||||
| III. Impact | ||||
| 
 | ||||
| Enabling flow director support may cause traffic to land on a wrong RX queue | ||||
| of the NIC, resulting in bad or sub-optimal performance on the receive side. | ||||
| 
 | ||||
| IV.  Workaround | ||||
| 
 | ||||
| No workaround is available, but systems that do not have Intel(R) 82559 | ||||
| series 10Gb Ethernet Controllers are not affected. | ||||
| 
 | ||||
| V.   Solution | ||||
| 
 | ||||
| Perform one of the following: | ||||
| 
 | ||||
| 1) Upgrade your system to a supported FreeBSD stable or release / security | ||||
| branch (releng) dated after the correction date. | ||||
| 
 | ||||
| 2) To update your present system via a binary patch: | ||||
| 
 | ||||
| Systems running a RELEASE version of FreeBSD on the i386 or amd64 | ||||
| platforms can be updated via the freebsd-update(8) utility: | ||||
| 
 | ||||
| # freebsd-update fetch | ||||
| # freebsd-update install | ||||
| 
 | ||||
| 3) To update your present system via a source code patch: | ||||
| 
 | ||||
| The following patches have been verified to apply to the applicable | ||||
| FreeBSD release branches. | ||||
| 
 | ||||
| a) Download the relevant patch from the location below, and verify the | ||||
| detached PGP signature using your PGP utility. | ||||
| 
 | ||||
| # fetch https://security.FreeBSD.org/patches/EN-15:14/ixgbe.patch | ||||
| # fetch https://security.FreeBSD.org/patches/EN-15:14/ixgbe.patch.asc | ||||
| # gpg --verify ixgbe.patch.asc | ||||
| 
 | ||||
| b) Apply the patch.  Execute the following commands as root: | ||||
| 
 | ||||
| # cd /usr/src | ||||
| # patch < /path/to/patch | ||||
| 
 | ||||
| c) Recompile your kernel as described in | ||||
| <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the | ||||
| system. | ||||
| 
 | ||||
| VI.  Correction details | ||||
| 
 | ||||
| The following list contains the correction revision numbers for each | ||||
| affected branch. | ||||
| 
 | ||||
| Branch/path                                                      Revision | ||||
| - ------------------------------------------------------------------------- | ||||
| stable/10/                                                        r272967 | ||||
| releng/10.1/                                                      r287146 | ||||
| - ------------------------------------------------------------------------- | ||||
| 
 | ||||
| To see which files were modified by a particular revision, run the | ||||
| following command, replacing NNNNNN with the revision number, on a | ||||
| machine with Subversion installed: | ||||
| 
 | ||||
| # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base | ||||
| 
 | ||||
| Or visit the following URL, replacing NNNNNN with the revision number: | ||||
| 
 | ||||
| <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> | ||||
| 
 | ||||
| VII. References | ||||
| 
 | ||||
| The latest revision of this Errata Notice is available at | ||||
| https://security.FreeBSD.org/advisories/FreeBSD-EN-15:14.ixgbe.asc | ||||
| 
 | ||||
| -----BEGIN PGP SIGNATURE----- | ||||
| Version: GnuPG v2.1.7 (FreeBSD) | ||||
| 
 | ||||
| iQIcBAEBCgAGBQJV3NfOAAoJEO1n7NZdz2rnImEP/j4kfmZ2XqZ/zbQINCPfybyU | ||||
| oSIgqyD6u4G/hy3gS4k7eLk6tQdUpnYzcoLLfeq0F2uY3DmWXJDBAKG0Bg7QaSzJ | ||||
| 3wWyZsN6XHkgNNCFGFsmep//8kAAXoAgJ2IoIPLe6eRHimESLtW2xlnow5PFL4Aw | ||||
| JMj5B/RoxtQZ/phE1zJym7eSpjVUbBrqhj/KkJUZ0W6WOkaT0GPVctvHlc2buZh7 | ||||
| 6u17LKgZaMMmmCvBNggkYGfiE51aJ9I0n5FdAHvlcaLCw+K58/Q6M2CRpMIorgh6 | ||||
| uaUHLZdT8VcZ8KVmDdBul0sZ9pkprHZ4J/htEL2mCOpmsRn/lduHAvf921mtX/64 | ||||
| Msg8bdXM48Q5WCv9sfcmMVgMA+6m+MekKc9wKYWw6Ldy0wcQ874jE+nuh3KBq+6X | ||||
| Te4VbxrwuAnspqrnt4Q4NXnqxyElO0BGo6lCSEUGCRje+hlOWG2WhftEV894cRG+ | ||||
| JCS6YRvX5C7i8+XD+MhvTeAi7pbaZkq6ODxQAOZgbz4JMQFq8ldOgvLdhUndKGlH | ||||
| xJ9/pK4u5kxXyVx4HPGm0MYlijjHDi/sSAJADutikpNOzlhyZqubA8LgLoBXtyfF | ||||
| /Kk3GYOJvOMSK8QB7YxFRS+zPi1YxAFPEJb7ZV2ygf6RMZpIFoRLFt1kDszo+TeZ | ||||
| iKXcFJvlwI49poLiz7Qs | ||||
| =i/HZ | ||||
| -----END PGP SIGNATURE----- | ||||
							
								
								
									
										132
									
								
								share/security/advisories/FreeBSD-EN-15:15.pkg.asc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										132
									
								
								share/security/advisories/FreeBSD-EN-15:15.pkg.asc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,132 @@ | |||
| -----BEGIN PGP SIGNED MESSAGE----- | ||||
| Hash: SHA512 | ||||
| 
 | ||||
| ============================================================================= | ||||
| FreeBSD-EN-15:15.pkg                                            Errata Notice | ||||
|                                                           The FreeBSD Project | ||||
| 
 | ||||
| Topic:          Insufficient check of unsupported pkg(7) signature methods | ||||
| 
 | ||||
| Category:       core | ||||
| Module:         pkg | ||||
| Announced:      2015-08-25 | ||||
| Credits:        Fabian Keil | ||||
| Affects:        All supported versions of FreeBSD. | ||||
| Corrected:      2015-08-19 18:32:36 UTC (stable/10, 10.2-STABLE) | ||||
|                 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RC3-p2) | ||||
|                 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RELEASE-p2) | ||||
|                 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19) | ||||
|                 2015-08-19 18:33:25 UTC (stable/9, 9.3-STABLE) | ||||
|                 2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24) | ||||
| CVE Name:       CVE-2015-5676 | ||||
| 
 | ||||
| For general information regarding FreeBSD Errata Notices and Security | ||||
| Advisories, including descriptions of the fields above, security | ||||
| branches, and the following sections, please visit | ||||
| <URL:https://security.freebsd.org/>. | ||||
| 
 | ||||
| I.   Background | ||||
| 
 | ||||
| The pkg(8) utility is the package management tool for FreeBSD.  The base | ||||
| system includes a pkg(7) bootstrap utility used to install the latest pkg(8) | ||||
| utility. | ||||
| 
 | ||||
| II.  Problem Description | ||||
| 
 | ||||
| When signature_type specified in pkg.conf(5) is set to an unsupported method, | ||||
| the pkg(7) bootstrap utility would behave as if signature_type is set to | ||||
| "none". | ||||
| 
 | ||||
| III. Impact | ||||
| 
 | ||||
| MITM attackers may be able to use this vulnerability and bypass validation, | ||||
| installing their own version of pkg(8). | ||||
| 
 | ||||
| IV.  Workaround | ||||
| 
 | ||||
| No workaround is available, but the default FreeBSD configuration is not | ||||
| affected because it uses "fingerprint" method. | ||||
| 
 | ||||
| V.   Solution | ||||
| 
 | ||||
| Perform one of the following: | ||||
| 
 | ||||
| 1) Upgrade your system to a supported FreeBSD stable or release / security | ||||
| branch (releng) dated after the correction date. | ||||
| 
 | ||||
| 2) To update your present system via a binary patch: | ||||
| 
 | ||||
| Systems running a RELEASE version of FreeBSD on the i386 or amd64 | ||||
| platforms can be updated via the freebsd-update(8) utility: | ||||
| 
 | ||||
| # freebsd-update fetch | ||||
| # freebsd-update install | ||||
| 
 | ||||
| 3) To update your present system via a source code patch: | ||||
| 
 | ||||
| The following patches have been verified to apply to the applicable | ||||
| FreeBSD release branches. | ||||
| 
 | ||||
| a) Download the relevant patch from the location below, and verify the | ||||
| detached PGP signature using your PGP utility. | ||||
| 
 | ||||
| # fetch https://security.FreeBSD.org/patches/EN-15:15/pkg.patch | ||||
| # fetch https://security.FreeBSD.org/patches/EN-15:15/pkg.patch.asc | ||||
| # gpg --verify pkg.patch.asc | ||||
| 
 | ||||
| b) Apply the patch.  Execute the following commands as root: | ||||
| 
 | ||||
| # cd /usr/src | ||||
| # patch < /path/to/patch | ||||
| 
 | ||||
| c) Recompile the operating system using buildworld and installworld as | ||||
| described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. | ||||
| 
 | ||||
| VI.  Correction details | ||||
| 
 | ||||
| The following list contains the correction revision numbers for each | ||||
| affected branch. | ||||
| 
 | ||||
| Branch/path                                                      Revision | ||||
| - ------------------------------------------------------------------------- | ||||
| stable/9/                                                         r286936 | ||||
| releng/9.3/                                                       r287147 | ||||
| stable/10/                                                        r286935 | ||||
| releng/10.1/                                                      r287146 | ||||
| releng/10.2/                                                      r287145 | ||||
| - ------------------------------------------------------------------------- | ||||
| 
 | ||||
| To see which files were modified by a particular revision, run the | ||||
| following command, replacing NNNNNN with the revision number, on a | ||||
| machine with Subversion installed: | ||||
| 
 | ||||
| # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base | ||||
| 
 | ||||
| Or visit the following URL, replacing NNNNNN with the revision number: | ||||
| 
 | ||||
| <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> | ||||
| 
 | ||||
| VII. References | ||||
| 
 | ||||
| <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5676> | ||||
| 
 | ||||
| The latest revision of this Errata Notice is available at | ||||
| https://security.FreeBSD.org/advisories/FreeBSD-EN-15:15.pkg.asc | ||||
| 
 | ||||
| -----BEGIN PGP SIGNATURE----- | ||||
| Version: GnuPG v2.1.7 (FreeBSD) | ||||
| 
 | ||||
| iQIcBAEBCgAGBQJV3NfOAAoJEO1n7NZdz2rnzHwP/30xvOZqHSRYMykrkQKcIVH7 | ||||
| Vhp0lp1z7KaDBq7xD0m08i2WSr0/pSaBU+At141iSKwvCPS0Szx307kZBO9a8gxw | ||||
| j7s6Z15qychKKGukJ5tJtKX4Q3mqAtjBoCC8wmwmJ/YNmr4HrZRL2vFp7nqAiyhl | ||||
| ntTcSuwEElBoalufeMHWd46eguRO/r9D8uWw+O7a+lLeJO9ThjnNZXOPyMfUE3Yh | ||||
| QoFpVcVdf+j6gIGUuPwNsfy4e6hBNvD0T47+PTBECTykiC1eoX+VXqf8PxKKWSOJ | ||||
| 50sKgXOtRy55dMtWbXhu5zjq4jzWFWtBPIRHM5SH/7V898S7zMerh81bsczBUqEA | ||||
| aBu1XJS1fZHlXKlav6/m/G1Wo4QgscBUsV6PhsFNpFmvAdEW2qjnH887FBm7I/Fv | ||||
| a3wvxMmQX1ABPbavFCUZmfS4khLFITYD77XLo8ciu/fyAz/X9n9p1F2EsbL8djis | ||||
| TcTuyUVv3YXeq+gJ9OcOH4CFsYSNlKEYiAd86/9DBnsiVrQJqNzqx+roHjL7ZXg6 | ||||
| AA/pqHmOEBq01idYh7PadOf+B5cU5A1CFMhjfpF1qe1yeuFFM30U7ugxjgV4w85O | ||||
| UFotAbyDlftUzeYYTQv2bK6oXzqtVagkhB/xXfQzPK9E3AnysfHA/bLysop7AMyZ | ||||
| CHeFaGA84VB1k9Ky5nSv | ||||
| =a+Ek | ||||
| -----END PGP SIGNATURE----- | ||||
							
								
								
									
										139
									
								
								share/security/advisories/FreeBSD-SA-15:21.amd64.asc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										139
									
								
								share/security/advisories/FreeBSD-SA-15:21.amd64.asc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,139 @@ | |||
| -----BEGIN PGP SIGNED MESSAGE----- | ||||
| Hash: SHA512 | ||||
| 
 | ||||
| ============================================================================= | ||||
| FreeBSD-SA-15:21.amd64                                      Security Advisory | ||||
|                                                           The FreeBSD Project | ||||
| 
 | ||||
| Topic:          Local privilege escalation in IRET handler | ||||
| 
 | ||||
| Category:       core | ||||
| Module:         sys_amd64 | ||||
| Announced:      2015-08-25 | ||||
| Credits:        Konstantin Belousov, Andrew Lutomirski | ||||
| Affects:        FreeBSD 9.3 and FreeBSD 10.1 | ||||
| Corrected:      2015-03-31 00:59:30 UTC (stable/10, 10.1-STABLE) | ||||
|                 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19) | ||||
|                 2015-03-31 01:08:51 UTC (stable/9, 9.3-STABLE) | ||||
|                 2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24) | ||||
| CVE Name:       CVE-2015-5675 | ||||
| 
 | ||||
| For general information regarding FreeBSD Security Advisories, | ||||
| including descriptions of the fields above, security branches, and the | ||||
| following sections, please visit <URL:https://security.FreeBSD.org/>. | ||||
| 
 | ||||
| I.   Background | ||||
| 
 | ||||
| FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel | ||||
| CPU's. | ||||
| 
 | ||||
| The GS segment CPU register is used by both user processes and the | ||||
| kernel to conveniently access state data: 32-bit user processes use the | ||||
| register to manage per-thread data, while the kernel uses it to access | ||||
| per-processor data. | ||||
| 
 | ||||
| The return from interrupt (IRET) instruction returns program control | ||||
| from an interrupt handler to the interrupted context. | ||||
| 
 | ||||
| II.  Problem Description | ||||
| 
 | ||||
| If the kernel-mode IRET instruction generates an #SS or #NP exception, | ||||
| but the exception handler does not properly ensure that the right GS | ||||
| register base for kernel is reloaded, the userland GS segment may be | ||||
| used in the context of the kernel exception handler. | ||||
| 
 | ||||
| III. Impact | ||||
| 
 | ||||
| By causing an IRET with #SS or #NP exceptions, a local attacker can | ||||
| cause the kernel to use an arbitrary GS base, which may allow escalated | ||||
| privileges or panic the system. | ||||
| 
 | ||||
| IV.  Workaround | ||||
| 
 | ||||
| No workaround is available. | ||||
| 
 | ||||
| V.   Solution | ||||
| 
 | ||||
| Perform one of the following: | ||||
| 
 | ||||
| 1) Upgrade your vulnerable system to a supported FreeBSD stable or | ||||
| release / security branch (releng) dated after the correction date, | ||||
| and reboot the system. | ||||
| 
 | ||||
| 2) To update your vulnerable system via a binary patch: | ||||
| 
 | ||||
| Systems running a RELEASE version of FreeBSD on the i386 or amd64 | ||||
| platforms can be updated via the freebsd-update(8) utility: | ||||
| 
 | ||||
| # freebsd-update fetch | ||||
| # freebsd-update install | ||||
| 
 | ||||
| And reboot the system. | ||||
| 
 | ||||
| 3) To update your vulnerable system via a source code patch: | ||||
| 
 | ||||
| The following patches have been verified to apply to the applicable | ||||
| FreeBSD release branches. | ||||
| 
 | ||||
| a) Download the relevant patch from the location below, and verify the | ||||
| detached PGP signature using your PGP utility. | ||||
| 
 | ||||
| # fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch | ||||
| # fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch.asc | ||||
| # gpg --verify amd64.patch.asc | ||||
| 
 | ||||
| b) Apply the patch.  Execute the following commands as root: | ||||
| 
 | ||||
| # cd /usr/src | ||||
| # patch < /path/to/patch | ||||
| 
 | ||||
| c) Recompile your kernel as described in | ||||
| <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the | ||||
| system. | ||||
| 
 | ||||
| VI.  Correction details | ||||
| 
 | ||||
| The following list contains the correction revision numbers for each | ||||
| affected branch. | ||||
| 
 | ||||
| Branch/path                                                      Revision | ||||
| - ------------------------------------------------------------------------- | ||||
| stable/9/                                                         r280877 | ||||
| releng/9.3/                                                       r287147 | ||||
| stable/10/                                                        r280875 | ||||
| releng/10.1/                                                      r287146 | ||||
| - ------------------------------------------------------------------------- | ||||
| 
 | ||||
| To see which files were modified by a particular revision, run the | ||||
| following command, replacing NNNNNN with the revision number, on a | ||||
| machine with Subversion installed: | ||||
| 
 | ||||
| # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base | ||||
| 
 | ||||
| Or visit the following URL, replacing NNNNNN with the revision number: | ||||
| 
 | ||||
| <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> | ||||
| 
 | ||||
| VII. References | ||||
| 
 | ||||
| <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5675> | ||||
| 
 | ||||
| The latest revision of this advisory is available at | ||||
| <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:21.amd64.asc> | ||||
| -----BEGIN PGP SIGNATURE----- | ||||
| Version: GnuPG v2.1.7 (FreeBSD) | ||||
| 
 | ||||
| iQIcBAEBCgAGBQJV3Ne8AAoJEO1n7NZdz2rn5ncQANs2pS8xCowX+BM9LmKTUb2Y | ||||
| eqGCvDetXV51/ljAOS10ubc4U0Zn2D5ACyz/DfiLIXVK8vkvlnJXFh3jSK6KIqPH | ||||
| ionXa8zMedBoytZL8xIEFSpk9+cYGkGupIYEGu6CCHVZGJ5fVgTlnnazuXd4evbt | ||||
| U1/7KNWt2H1R1j0YiYZ0MvhrIF35KqFmLOGf2JmZulqruwq91tYeMlv+7IY6vtPD | ||||
| L8n5kTM7pudB3qznXd1PBMj1Y6YVG1O3WL4Stfyj93qDuMbJ+wfnao1ZKMBG0az8 | ||||
| IJITHrnTI+Xd4i/bbEoSmSN9V80S8uo/6J6JaXjtbrJfEqAMKhLrrcoMA7MHpKJQ | ||||
| L4dv2HGL1n7xfOIfj5Qo2io/LUSye5lO54LtEKZfjhzqsTtNQl57BDAYZgbQp2/A | ||||
| RsngIq3VrNcIJQK8F1Ba7SNL2+NVd091Wb+Z52837R5/D47jD2BhDia5eH6R5Opv | ||||
| 6kfzTJujbLi6b9RSn0OT+wAQbQ80qSmD+IwMXwAAg0mukthjTiJpqabpMWvMmfGO | ||||
| mhfZBGqmf1Hx4lTczSRMLlRCmjOBc+BKioHT2ciE8QMX0WrHhkRuSBqY3euVTCMB | ||||
| 9+iU7eJ23tARTbG5wMmBNRsWJzhOKieM0UEsXxso+z8tMMX1Vh/e9ls2qm+ks876 | ||||
| WYT9/yPSsyU1z/AkHJU7 | ||||
| =nHGY | ||||
| -----END PGP SIGNATURE----- | ||||
							
								
								
									
										161
									
								
								share/security/advisories/FreeBSD-SA-15:22.openssh.asc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										161
									
								
								share/security/advisories/FreeBSD-SA-15:22.openssh.asc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,161 @@ | |||
| -----BEGIN PGP SIGNED MESSAGE----- | ||||
| Hash: SHA512 | ||||
| 
 | ||||
| ============================================================================= | ||||
| FreeBSD-SA-15:22.openssh                                    Security Advisory | ||||
|                                                           The FreeBSD Project | ||||
| 
 | ||||
| Topic:          OpenSSH multiple vulnerabilities | ||||
| 
 | ||||
| Category:       contrib | ||||
| Module:         openssh | ||||
| Announced:      2015-08-25 | ||||
| Affects:        All supported versions of FreeBSD. | ||||
| Corrected:      2015-08-25 20:48:44 UTC (stable/10, 10.2-STABLE) | ||||
|                 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RC3-p2) | ||||
|                 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RELEASE-p2) | ||||
|                 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19) | ||||
|                 2015-08-25 20:48:44 UTC (stable/9, 9.3-STABLE) | ||||
|                 2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24) | ||||
| 
 | ||||
| For general information regarding FreeBSD Security Advisories, | ||||
| including descriptions of the fields above, security branches, and the | ||||
| following sections, please visit <URL:https://security.FreeBSD.org/>. | ||||
| 
 | ||||
| I.   Background | ||||
| 
 | ||||
| OpenSSH is an implementation of the SSH protocol suite, providing an | ||||
| encrypted and authenticated transport for a variety of services, | ||||
| including remote shell access. | ||||
| 
 | ||||
| The PAM (Pluggable Authentication Modules) library provides a flexible | ||||
| framework for user authentication and session setup / teardown. | ||||
| 
 | ||||
| The default FreeBSD OpenSSH configuration has PAM interactive | ||||
| authentication enabled. | ||||
| 
 | ||||
| Privilege separation is a technique in which a program is divided into | ||||
| multiple cooperating processes, each with a different task, where each | ||||
| process is limited to the specific privileges required to perform that | ||||
| specific task, while the privileged parent process acts as an arbiter. | ||||
| 
 | ||||
| II.  Problem Description | ||||
| 
 | ||||
| A programming error in the privileged monitor process of the sshd(8) | ||||
| service may allow the username of an already-authenticated user to be | ||||
| overwritten by the unprivileged child process. | ||||
| 
 | ||||
| A use-after-free error in the privileged monitor process of he sshd(8) | ||||
| service may be deterministically triggered by the actions of a | ||||
| compromised unprivileged child process. | ||||
| 
 | ||||
| A use-after-free error in the session multiplexing code in the sshd(8) | ||||
| service may result in unintended termination of the connection. | ||||
| 
 | ||||
| III. Impact | ||||
| 
 | ||||
| The first bug may allow a remote attacker who a) has already succeeded | ||||
| by other means in compromising the unprivileged pre-authentication | ||||
| child process and b) has valid credentials to one user on the target | ||||
| system to impersonate a different user. | ||||
| 
 | ||||
| The second bug may allow a remote attacker who has already succeeded | ||||
| by other means in compromising the unprivileged pre-authentication | ||||
| child process to bypass PAM authentication entirely. | ||||
| 
 | ||||
| The third bug is not exploitable, but can cause premature termination | ||||
| of a multiplexed ssh connection. | ||||
| 
 | ||||
| IV.  Workaround | ||||
| 
 | ||||
| No workaround is available, but systems where ssh(1) and sshd(8) are | ||||
| not used are not vulnerable. | ||||
| 
 | ||||
| V.   Solution | ||||
| 
 | ||||
| Perform one of the following: | ||||
| 
 | ||||
| 1) Upgrade your vulnerable system to a supported FreeBSD stable or | ||||
| release / security branch (releng) dated after the correction date. | ||||
| 
 | ||||
| The sshd(8) service has to be restarted after the update.  A reboot | ||||
| is recommended but not required. | ||||
| 
 | ||||
| 2) To update your vulnerable system via a binary patch: | ||||
| 
 | ||||
| Systems running a RELEASE version of FreeBSD on the i386 or amd64 | ||||
| platforms can be updated via the freebsd-update(8) utility: | ||||
| 
 | ||||
| # freebsd-update fetch | ||||
| # freebsd-update install | ||||
| 
 | ||||
| The sshd(8) service has to be restarted after the update.  A reboot | ||||
| is recommended but not required. | ||||
| 
 | ||||
| 3) To update your vulnerable system via a source code patch: | ||||
| 
 | ||||
| The following patches have been verified to apply to the applicable | ||||
| FreeBSD release branches. | ||||
| 
 | ||||
| a) Download the relevant patch from the location below, and verify the | ||||
| detached PGP signature using your PGP utility. | ||||
| 
 | ||||
| # fetch https://security.FreeBSD.org/patches/SA-15:22/openssh.patch | ||||
| # fetch https://security.FreeBSD.org/patches/SA-15:22/openssh.patch.asc | ||||
| # gpg --verify openssh.patch.asc | ||||
| 
 | ||||
| b) Apply the patch.  Execute the following commands as root: | ||||
| 
 | ||||
| # cd /usr/src | ||||
| # patch < /path/to/patch | ||||
| 
 | ||||
| c) Recompile the operating system using buildworld and installworld as | ||||
| described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. | ||||
| 
 | ||||
| Restart the sshd(8) daemon, or reboot the system. | ||||
| 
 | ||||
| VI.  Correction details | ||||
| 
 | ||||
| The following list contains the correction revision numbers for each | ||||
| affected branch. | ||||
| 
 | ||||
| Branch/path                                                      Revision | ||||
| - ------------------------------------------------------------------------- | ||||
| stable/9/                                                         r287144 | ||||
| releng/9.3/                                                       r287147 | ||||
| stable/10/                                                        r287144 | ||||
| releng/10.1/                                                      r287146 | ||||
| releng/10.2/                                                      r287145 | ||||
| - ------------------------------------------------------------------------- | ||||
| 
 | ||||
| To see which files were modified by a particular revision, run the | ||||
| following command, replacing NNNNNN with the revision number, on a | ||||
| machine with Subversion installed: | ||||
| 
 | ||||
| # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base | ||||
| 
 | ||||
| Or visit the following URL, replacing NNNNNN with the revision number: | ||||
| 
 | ||||
| <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> | ||||
| 
 | ||||
| VII. References | ||||
| 
 | ||||
| The latest revision of this advisory is available at | ||||
| <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:22.openssh.asc> | ||||
| -----BEGIN PGP SIGNATURE----- | ||||
| Version: GnuPG v2.1.7 (FreeBSD) | ||||
| 
 | ||||
| iQIcBAEBCgAGBQJV3Ne8AAoJEO1n7NZdz2rnxq8P/jW05a6zT9n78wxBuHwRJ9gx | ||||
| 7+CN9AsezavW4HmZF4GmWt6SjnJqpLDMwnhceo7po6ZMIxjyWwxBWWfvUwVqezwa | ||||
| kT+DS7oHKmeZAwCSFMj9K25NN+x7KAwXXiiANcj4U4iU+q0YrcEGVIBKVqCAn3ly | ||||
| pJAkMxdTbwlWR7MaPaTMbMenVOs87b6Xx/4gfSBWolFWz9bKfdTYCxK/AnULVIZq | ||||
| Q7lShezEvgyCb8b6QLvnrY4AwHtVduiYxnvNKv8ysbaatZCarkRS8nh68zGcdTBg | ||||
| IyzG5OEtUFokVkroJaLWFXL1mUp7tgn9+UNd0/53wFN2DTZKw9oTAkKn8xrbbOSa | ||||
| xQqYFhsmqsnKlBJMEMaoK9JgGZZ6xOGo3JZ6yrFfYxiZ9xFaR843rOUe0UVrxh+L | ||||
| +2DmALTyLWSkeqlcg66oKqYKMQuvUyd6VpPL0yHpB0AqBTjKjUmG9RgG8AT5MpqW | ||||
| P3weyD0n7rOCBfagofx8MIy15REwjcQSUptarWrMwhJPua95RJ/IAVIIThGrMzZ5 | ||||
| PxyWDFU7B/56FRlmX5+6mfi/NC60yIyR6lg0trBtuiiEfNV+HWz6QXOIUMYQvvo9 | ||||
| w8fXSy6MJ12jTFqm0+CXbx2wWEVxAZS/wtLDsa3nf2oGkO3upzFl0/fvsR1dZ/hl | ||||
| plo/3SMPpFFbfvIhy2V/ | ||||
| =2w70 | ||||
| -----END PGP SIGNATURE----- | ||||
							
								
								
									
										26
									
								
								share/security/patches/EN-15:14/ixgbe.patch
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								share/security/patches/EN-15:14/ixgbe.patch
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,26 @@ | |||
| Index: sys/conf/files
 | ||||
| ===================================================================
 | ||||
| --- sys/conf/files	(revision 286787)
 | ||||
| +++ sys/conf/files	(working copy)
 | ||||
| @@ -1704,7 +1704,7 @@ dev/ixgb/if_ixgb.c		optional ixgb
 | ||||
|  dev/ixgb/ixgb_ee.c		optional ixgb | ||||
|  dev/ixgb/ixgb_hw.c		optional ixgb | ||||
|  dev/ixgbe/ixgbe.c		optional ixgbe inet \ | ||||
| -	compile-with "${NORMAL_C} -I$S/dev/ixgbe -DSMP -DIXGBE_FDIR"
 | ||||
| +	compile-with "${NORMAL_C} -I$S/dev/ixgbe -DSMP"
 | ||||
|  dev/ixgbe/ixv.c			optional ixgbe inet \ | ||||
|  	compile-with "${NORMAL_C} -I$S/dev/ixgbe" | ||||
|  dev/ixgbe/ixgbe_phy.c		optional ixgbe inet \ | ||||
| Index: sys/modules/ixgbe/Makefile
 | ||||
| ===================================================================
 | ||||
| --- sys/modules/ixgbe/Makefile	(revision 286787)
 | ||||
| +++ sys/modules/ixgbe/Makefile	(working copy)
 | ||||
| @@ -12,7 +12,7 @@ SRCS    += ixgbe.c ixv.c
 | ||||
|  SRCS    += ixgbe_common.c ixgbe_api.c ixgbe_phy.c ixgbe_mbx.c ixgbe_vf.c | ||||
|  SRCS    += ixgbe_dcb.c ixgbe_dcb_82598.c ixgbe_dcb_82599.c | ||||
|  SRCS    += ixgbe_82599.c ixgbe_82598.c ixgbe_x540.c | ||||
| -CFLAGS+= -I${.CURDIR}/../../dev/ixgbe -DSMP -DIXGBE_FDIR
 | ||||
| +CFLAGS+= -I${.CURDIR}/../../dev/ixgbe -DSMP
 | ||||
|   | ||||
|  .if !defined(KERNBUILDDIR) | ||||
|  .if ${MK_INET_SUPPORT} != "no" | ||||
							
								
								
									
										17
									
								
								share/security/patches/EN-15:14/ixgbe.patch.asc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								share/security/patches/EN-15:14/ixgbe.patch.asc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,17 @@ | |||
| -----BEGIN PGP SIGNATURE----- | ||||
| Version: GnuPG v2.1.7 (FreeBSD) | ||||
| 
 | ||||
| iQIcBAABCgAGBQJV3NfSAAoJEO1n7NZdz2rnwaoP/2b/ter6TOaSERlf0QxN8e9X | ||||
| c+aSr9LLLVQG4MtzuYS6mFHp1uDgA4dwFVlSZjXp9ZJBtSt5HWZDzDKO1eaFz9YR | ||||
| cY2zCC8Mo3H+KlXrDSBYaT9JCA7fEPTFQKvfDGushRDF6h6AoVoOl7W4IWOhZ+Nk | ||||
| SbbvMOBAyVHrevyT8gLBv2+nPeEtv4vvYg5Rq/HqCUW0IkxCFuhvMj30kQBrQYM1 | ||||
| lOyXOGOC+SqPgeqN6+j9HPI3Fx7xDzPF/I1zThPI+Nvgn9BZRhTT1+Ev+g5MxGNy | ||||
| Z3mv4aW2tSJQksDsYa2X0wDl8/yvFhliQwLVmkDp27sf5dVsRqrJZwMwY4r6I8Ej | ||||
| JHFoJxyiCqQzfq5dWuBgVuyk1NYPF5GdZLEp7gP1i6Swbn+1kjYBh0HPkJK9VMcZ | ||||
| uYlHzEoUoQAbTfxs5N/Am82lT6ljvNvdbU9960Hilb8ObkJNop7vxWc9oNFhud20 | ||||
| ECJF68Hw6CjjDFywEeY2c479Xs0Shf7sDXBId+RGNvjFXWWRGBV1YXk0w+gsUuUd | ||||
| r1P8D7ixy/ZQOPauw61+SC2DS3icMuwmSQamD1pOxmSvK0x+lLNRDK52X93TTA24 | ||||
| 4yvOvh7ePktvZLWWO0y375ZsEWfVnZRpf39rjaEpz/0jwREULkmz1HjipozDRhJn | ||||
| 4No3c9hi9rwcH/oU0/xd | ||||
| =txUl | ||||
| -----END PGP SIGNATURE----- | ||||
							
								
								
									
										34
									
								
								share/security/patches/EN-15:15/pkg.patch
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										34
									
								
								share/security/patches/EN-15:15/pkg.patch
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,34 @@ | |||
| Index: usr.sbin/pkg/pkg.c
 | ||||
| ===================================================================
 | ||||
| --- usr.sbin/pkg/pkg.c	(revision 286787)
 | ||||
| +++ usr.sbin/pkg/pkg.c	(working copy)
 | ||||
| @@ -749,7 +749,13 @@ bootstrap_pkg(bool force)
 | ||||
|  		goto fetchfail; | ||||
|   | ||||
|  	if (signature_type != NULL && | ||||
| -	    strcasecmp(signature_type, "FINGERPRINTS") == 0) {
 | ||||
| +	    strcasecmp(signature_type, "NONE") != 0) {
 | ||||
| +		if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
 | ||||
| +			warnx("Signature type %s is not supported for "
 | ||||
| +			    "bootstrapping.", signature_type);
 | ||||
| +			goto cleanup;
 | ||||
| +		}
 | ||||
| +
 | ||||
|  		snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX", | ||||
|  		    getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP); | ||||
|  		snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig", | ||||
| @@ -834,7 +840,13 @@ bootstrap_pkg_local(const char *pkgpath, bool forc
 | ||||
|  		return (-1); | ||||
|  	} | ||||
|  	if (signature_type != NULL && | ||||
| -	    strcasecmp(signature_type, "FINGERPRINTS") == 0) {
 | ||||
| +	    strcasecmp(signature_type, "NONE") != 0) {
 | ||||
| +		if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
 | ||||
| +			warnx("Signature type %s is not supported for "
 | ||||
| +			    "bootstrapping.", signature_type);
 | ||||
| +			goto cleanup;
 | ||||
| +		}
 | ||||
| +
 | ||||
|  		snprintf(path, sizeof(path), "%s.sig", pkgpath); | ||||
|   | ||||
|  		if ((fd_sig = open(path, O_RDONLY)) == -1) { | ||||
							
								
								
									
										17
									
								
								share/security/patches/EN-15:15/pkg.patch.asc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								share/security/patches/EN-15:15/pkg.patch.asc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,17 @@ | |||
| -----BEGIN PGP SIGNATURE----- | ||||
| Version: GnuPG v2.1.7 (FreeBSD) | ||||
| 
 | ||||
| iQIcBAABCgAGBQJV3NfSAAoJEO1n7NZdz2rnghsP/3LVlVtT+vCVLMrVcy2gZ2q8 | ||||
| y9BICtPx2M2PRR9JOPBjD+DrcOZV9QrCX5FLvPmBDvFSMgGp+1EvZP9r/DFOngJ4 | ||||
| B1+enlcBl48FoK6UmWhvScvDywH7wRoBFIh9HeSP+z6HXhYhDXpyS9XGiBXcTYFA | ||||
| QEAJOa+gdiA1trhgYZZpI3EQ/SzB/D2MiBZPGqtCgmL50lWRJS6Q79EYi11sPSoF | ||||
| Lovjipxp3FYrlFODsB1iBFReXC8E1k8s+peXJFZfFAM+HUh2YAXFhYnJ1Bleq8Jb | ||||
| zNox48EF7d4dXgFZVBAqgxpmuvVVpCsVWrZikLLcCzspIoKF1+F8+ZNyCDvfhSOm | ||||
| tWFH1NjE14U4NvF1ratwfSFSOogVyUrYSr0s2n3EWhmp2V5I4Q8Zz43GPVk6z/Qm | ||||
| LXInkYPVE6mI1l08MhW2EMJTNmp2euXgzorb/JVO01Zj5XGobB9C4XA5+3/AWu0P | ||||
| xKRfYp52z4rwX8w3RnzTM5L7l1uLm9LPlSis3rsZJvgpE2UHLpgahAgNMlGzYzQT | ||||
| M0cj0h/E2xfvrUYkrW9l35NOsZZ5Q0Ox4ft59ua3QZm8RxUKcWdaAf2fy0t1F53u | ||||
| YdA1bMVWFInVYYGwS/qrNj9yjoJcAa8E2v06McWyCZ8J2Tx3Gj50oWcebmiJtLxO | ||||
| RA9lcL+X6yPGHCROPmng | ||||
| =6SMS | ||||
| -----END PGP SIGNATURE----- | ||||
							
								
								
									
										53
									
								
								share/security/patches/SA-15:21/amd64.patch
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										53
									
								
								share/security/patches/SA-15:21/amd64.patch
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,53 @@ | |||
| Index: sys/amd64/amd64/exception.S
 | ||||
| ===================================================================
 | ||||
| --- sys/amd64/amd64/exception.S	(revision 286969)
 | ||||
| +++ sys/amd64/amd64/exception.S	(working copy)
 | ||||
| @@ -154,9 +154,13 @@ IDTVEC(xmm)
 | ||||
|  IDTVEC(tss) | ||||
|  	TRAP_ERR(T_TSSFLT) | ||||
|  IDTVEC(missing) | ||||
| -	TRAP_ERR(T_SEGNPFLT)
 | ||||
| +	subq	$TF_ERR,%rsp
 | ||||
| +	movl	$T_SEGNPFLT,TF_TRAPNO(%rsp)
 | ||||
| +	jmp	prot_addrf
 | ||||
|  IDTVEC(stk) | ||||
| -	TRAP_ERR(T_STKFLT)
 | ||||
| +	subq	$TF_ERR,%rsp
 | ||||
| +	movl	$T_STKFLT,TF_TRAPNO(%rsp)
 | ||||
| +	jmp	prot_addrf
 | ||||
|  IDTVEC(align) | ||||
|  	TRAP_ERR(T_ALIGNFLT) | ||||
|   | ||||
| @@ -319,6 +323,7 @@ IDTVEC(page)
 | ||||
|  IDTVEC(prot) | ||||
|  	subq	$TF_ERR,%rsp | ||||
|  	movl	$T_PROTFLT,TF_TRAPNO(%rsp) | ||||
| +prot_addrf:
 | ||||
|  	movq	$0,TF_ADDR(%rsp) | ||||
|  	movq	%rdi,TF_RDI(%rsp)	/* free up a GP register */ | ||||
|  	leaq	doreti_iret(%rip),%rdi | ||||
| Index: sys/amd64/amd64/machdep.c
 | ||||
| ===================================================================
 | ||||
| --- sys/amd64/amd64/machdep.c	(revision 286969)
 | ||||
| +++ sys/amd64/amd64/machdep.c	(working copy)
 | ||||
| @@ -428,6 +428,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *
 | ||||
|  	regs->tf_rflags &= ~(PSL_T | PSL_D); | ||||
|  	regs->tf_cs = _ucodesel; | ||||
|  	regs->tf_ds = _udatasel; | ||||
| +	regs->tf_ss = _udatasel;
 | ||||
|  	regs->tf_es = _udatasel; | ||||
|  	regs->tf_fs = _ufssel; | ||||
|  	regs->tf_gs = _ugssel; | ||||
| Index: sys/amd64/amd64/trap.c
 | ||||
| ===================================================================
 | ||||
| --- sys/amd64/amd64/trap.c	(revision 286969)
 | ||||
| +++ sys/amd64/amd64/trap.c	(working copy)
 | ||||
| @@ -473,8 +473,6 @@ trap(struct trapframe *frame)
 | ||||
|  			goto out; | ||||
|   | ||||
|  		case T_STKFLT:		/* stack fault */ | ||||
| -			break;
 | ||||
| -
 | ||||
|  		case T_PROTFLT:		/* general protection fault */ | ||||
|  		case T_SEGNPFLT:	/* segment not present fault */ | ||||
|  			if (td->td_intr_nesting_level != 0) | ||||
							
								
								
									
										17
									
								
								share/security/patches/SA-15:21/amd64.patch.asc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								share/security/patches/SA-15:21/amd64.patch.asc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,17 @@ | |||
| -----BEGIN PGP SIGNATURE----- | ||||
| Version: GnuPG v2.1.7 (FreeBSD) | ||||
| 
 | ||||
| iQIcBAABCgAGBQJV3Ne1AAoJEO1n7NZdz2rnwuYP/i6fWwcpTVRtC9Fi9IDv6crB | ||||
| gTpiDC5oNLxBBk3INWkt03oBL5WenM48/fiIZ4/qICWZEaEGMWALsLhIjC1uE6z1 | ||||
| 6cZHUA4zUr9Fnx7YhwGMXeLugTPbjHDTKheKdiebjZ3xU8LNp7h4TcanPBSB4rM1 | ||||
| 6qhJLki9EIfHqLTJa0MXR7T0xOBUvd9337NgN99kYpE9R22h+Fl4UXLpJfkS5/zn | ||||
| i9RsqFCTK4iD5f0BCGvPVK+m2mDAIuedgoYNQxAdeiZ8SjeObDeXX27Po0pcK2V7 | ||||
| mK7gaYrwFiHlVjgxenR+TKYoWGKl3OV6x9lmy2V11xuCIIXHU8umlNG2zBlEK8Da | ||||
| b7Dk+9Wmsoz5LspQORYWMHjLs6H0Q18udhztzlzlJHE1XZ9O3idV5dBxh3WrYzU4 | ||||
| Yh3iWRTJiCp34dR98xSePhOq6FHw/jJcRH8M6MXus47Ssf32CvToLBFbfio6T2U5 | ||||
| lQ6yLWIBrnl5WyGBtwNSGEzEWMgfvjU7PL2LEt5xnLR8F7+nQvysAXlt9MfTAexT | ||||
| +Jrn44Sc5dy/mK5d7Tmxpo1VQ9rqI1Msn+5TW0p4/aG7/XnQruwzN8QVwAOajgQt | ||||
| cxZ0RmvV+8iLCAmvRuJszYqbo+VkRC2PtTWHmNjCwddYAawC+Rg9m2an/pJQaH/d | ||||
| 0YB0zGqhLzGJV9L2+uem | ||||
| =7Eoy | ||||
| -----END PGP SIGNATURE----- | ||||
							
								
								
									
										68
									
								
								share/security/patches/SA-15:22/openssh.patch
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										68
									
								
								share/security/patches/SA-15:22/openssh.patch
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,68 @@ | |||
| Index: crypto/openssh/monitor.c
 | ||||
| ===================================================================
 | ||||
| --- crypto/openssh/monitor.c	(revision 286787)
 | ||||
| +++ crypto/openssh/monitor.c	(working copy)
 | ||||
| @@ -1027,9 +1027,7 @@ extern KbdintDevice sshpam_device;
 | ||||
|  int | ||||
|  mm_answer_pam_init_ctx(int sock, Buffer *m) | ||||
|  { | ||||
| -
 | ||||
|  	debug3("%s", __func__); | ||||
| -	authctxt->user = buffer_get_string(m, NULL);
 | ||||
|  	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); | ||||
|  	sshpam_authok = NULL; | ||||
|  	buffer_clear(m); | ||||
| @@ -1111,14 +1109,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
 | ||||
|  int | ||||
|  mm_answer_pam_free_ctx(int sock, Buffer *m) | ||||
|  { | ||||
| +	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
 | ||||
|   | ||||
|  	debug3("%s", __func__); | ||||
|  	(sshpam_device.free_ctx)(sshpam_ctxt); | ||||
| +	sshpam_ctxt = sshpam_authok = NULL;
 | ||||
|  	buffer_clear(m); | ||||
|  	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | ||||
|  	auth_method = "keyboard-interactive"; | ||||
|  	auth_submethod = "pam"; | ||||
| -	return (sshpam_authok == sshpam_ctxt);
 | ||||
| +	return r;
 | ||||
|  } | ||||
|  #endif | ||||
|   | ||||
| Index: crypto/openssh/monitor_wrap.c
 | ||||
| ===================================================================
 | ||||
| --- crypto/openssh/monitor_wrap.c	(revision 286787)
 | ||||
| +++ crypto/openssh/monitor_wrap.c	(working copy)
 | ||||
| @@ -820,7 +820,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
 | ||||
|   | ||||
|  	debug3("%s", __func__); | ||||
|  	buffer_init(&m); | ||||
| -	buffer_put_cstring(&m, authctxt->user);
 | ||||
|  	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); | ||||
|  	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); | ||||
|  	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); | ||||
| Index: crypto/openssh/mux.c
 | ||||
| ===================================================================
 | ||||
| --- crypto/openssh/mux.c	(revision 286787)
 | ||||
| +++ crypto/openssh/mux.c	(working copy)
 | ||||
| @@ -635,7 +635,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer
 | ||||
|  	u_int lport, cport; | ||||
|  	int i, ret = 0, freefwd = 1; | ||||
|   | ||||
| -	fwd.listen_host = fwd.connect_host = NULL;
 | ||||
| +	memset(&fwd, 0, sizeof(fwd));
 | ||||
| +
 | ||||
|  	if (buffer_get_int_ret(&ftype, m) != 0 || | ||||
|  	    (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || | ||||
|  	    buffer_get_int_ret(&lport, m) != 0 || | ||||
| @@ -785,7 +786,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffe
 | ||||
|  	int i, listen_port, ret = 0; | ||||
|  	u_int lport, cport; | ||||
|   | ||||
| -	fwd.listen_host = fwd.connect_host = NULL;
 | ||||
| +	memset(&fwd, 0, sizeof(fwd));
 | ||||
| +
 | ||||
|  	if (buffer_get_int_ret(&ftype, m) != 0 || | ||||
|  	    (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || | ||||
|  	    buffer_get_int_ret(&lport, m) != 0 || | ||||
							
								
								
									
										17
									
								
								share/security/patches/SA-15:22/openssh.patch.asc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								share/security/patches/SA-15:22/openssh.patch.asc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,17 @@ | |||
| -----BEGIN PGP SIGNATURE----- | ||||
| Version: GnuPG v2.1.7 (FreeBSD) | ||||
| 
 | ||||
| iQIcBAABCgAGBQJV3Ne1AAoJEO1n7NZdz2rnaD4P/27Y0Bd6TwsCXR33YG8bmmpO | ||||
| ASZxD1GyWFqZyTIrPw+gBN2SkfxROnjMSq5/RfbAgbTthQYEQ+vu7aX4rbpuGQ3E | ||||
| 5nK1IJlCS9abr84QWOxFXuDtBrLuYhb4WRmMNpGANfmA+ZtKap7fNkdLsU5XYnGf | ||||
| wftLAWPtUF1GxPPFcc9NZdXyOePg4UcfTFqfPkHmdeEPSLlOhkCHv4ZtuWPg4VMB | ||||
| ++uEZCAS+U1Ky4NIKaGmE9lO5x9LWzQnXzluLXHPAAnMxi4uTLs4DFocGgLR9Xvv | ||||
| NftlvAzJuQWzIAr5Tp/5YB24nqJB+qAMNwwmSMvsL2MFDI4Zepqq3o0Ss4xAPOjU | ||||
| taBDNow1+S/tLPH2jtF3hu/DP2H8HkSm5UqNWrHP8vS4UXqlXIofjaA5mTddtGLK | ||||
| FXc6C+NQ2G7bqgw+g5kiO+XH3gYBMxJtuRyBCIekeBAtIISoevz/V+ejFdTE0EFP | ||||
| MuvC4HWhSttdTJkdC74+WdcNWqpQ14iHwdrlY8Gazv9wQz/iwonZO7pzE+lea+j3 | ||||
| f+e/2dyQLXxEIxrfGRRZljuekbvLnEn+DUSV9mExpNP60ZvRBKyVOBDcnteP3VhY | ||||
| 4LAMaSFzE7kgPuhaLBfzecEFDd06Eiz7LEd4HesXVqpKBP1fBOevfAxW8Izidg/1 | ||||
| /t/RV1/NkgKrKgNBkO97 | ||||
| =ZQpd | ||||
| -----END PGP SIGNATURE----- | ||||
|  | @ -10,6 +10,18 @@ | |||
|     <month> | ||||
|       <name>8</name> | ||||
| 
 | ||||
|       <day> | ||||
|         <name>25</name> | ||||
| 
 | ||||
|         <advisory> | ||||
|           <name>FreeBSD-SA-15:22.openssh</name> | ||||
|         </advisory> | ||||
| 
 | ||||
|         <advisory> | ||||
|           <name>FreeBSD-SA-15:21.amd64</name> | ||||
|         </advisory> | ||||
|       </day> | ||||
| 
 | ||||
|       <day> | ||||
|         <name>18</name> | ||||
| 
 | ||||
|  |  | |||
|  | @ -10,6 +10,18 @@ | |||
|     <month> | ||||
|       <name>8</name> | ||||
| 
 | ||||
|       <day> | ||||
|         <name>25</name> | ||||
| 
 | ||||
|         <notice> | ||||
|           <name>FreeBSD-EN-15:15.pkg</name> | ||||
|         </notice> | ||||
| 
 | ||||
|         <notice> | ||||
|           <name>FreeBSD-EN-15:14.ixgbe</name> | ||||
|         </notice> | ||||
|       </day> | ||||
| 
 | ||||
|       <day> | ||||
|         <name>18</name> | ||||
| 
 | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue