Add SA-15:21.amd64, SA-15:22.openssh, EN-15:14.ixgbe and EN-15:15.pkg.

svn path=/head/; revision=47309

share/security/advisories/FreeBSD-EN-15:14.ixgbe.asc

@@ -0,0 +1,121 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:14.ixgbe                                          Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Disable ixgbe(4) flow-director support
+
+Category:       core
+Module:         ixgbe
+Announced:      2015-08-25
+Credits:        Marc De La Gueronniere (Verisign, Inc.)
+Affects:        FreeBSD 10.1
+Corrected:      2014-10-11 22:10:39 UTC (stable/10, 10.1-STABLE)
+                2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I.   Background
+
+Flow director is an Intel technology to steer incoming packets in application
+aware fashion.
+
+II.  Problem Description
+
+Flow director support is not completely/correctly implemented in FreeBSD at
+this time.
+
+III. Impact
+
+Enabling flow director support may cause traffic to land on a wrong RX queue
+of the NIC, resulting in bad or sub-optimal performance on the receive side.
+
+IV.  Workaround
+
+No workaround is available, but systems that do not have Intel(R) 82559
+series 10Gb Ethernet Controllers are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-15:14/ixgbe.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:14/ixgbe.patch.asc
+# gpg --verify ixgbe.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r272967
+releng/10.1/                                                      r287146
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:14.ixgbe.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.7 (FreeBSD)
+
+iQIcBAEBCgAGBQJV3NfOAAoJEO1n7NZdz2rnImEP/j4kfmZ2XqZ/zbQINCPfybyU
+oSIgqyD6u4G/hy3gS4k7eLk6tQdUpnYzcoLLfeq0F2uY3DmWXJDBAKG0Bg7QaSzJ
+3wWyZsN6XHkgNNCFGFsmep//8kAAXoAgJ2IoIPLe6eRHimESLtW2xlnow5PFL4Aw
+JMj5B/RoxtQZ/phE1zJym7eSpjVUbBrqhj/KkJUZ0W6WOkaT0GPVctvHlc2buZh7
+6u17LKgZaMMmmCvBNggkYGfiE51aJ9I0n5FdAHvlcaLCw+K58/Q6M2CRpMIorgh6
+uaUHLZdT8VcZ8KVmDdBul0sZ9pkprHZ4J/htEL2mCOpmsRn/lduHAvf921mtX/64
+Msg8bdXM48Q5WCv9sfcmMVgMA+6m+MekKc9wKYWw6Ldy0wcQ874jE+nuh3KBq+6X
+Te4VbxrwuAnspqrnt4Q4NXnqxyElO0BGo6lCSEUGCRje+hlOWG2WhftEV894cRG+
+JCS6YRvX5C7i8+XD+MhvTeAi7pbaZkq6ODxQAOZgbz4JMQFq8ldOgvLdhUndKGlH
+xJ9/pK4u5kxXyVx4HPGm0MYlijjHDi/sSAJADutikpNOzlhyZqubA8LgLoBXtyfF
+/Kk3GYOJvOMSK8QB7YxFRS+zPi1YxAFPEJb7ZV2ygf6RMZpIFoRLFt1kDszo+TeZ
+iKXcFJvlwI49poLiz7Qs
+=i/HZ
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-15:15.pkg.asc

@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:15.pkg                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Insufficient check of unsupported pkg(7) signature methods
+
+Category:       core
+Module:         pkg
+Announced:      2015-08-25
+Credits:        Fabian Keil
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-08-19 18:32:36 UTC (stable/10, 10.2-STABLE)
+                2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RC3-p2)
+                2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RELEASE-p2)
+                2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19)
+                2015-08-19 18:33:25 UTC (stable/9, 9.3-STABLE)
+                2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24)
+CVE Name:       CVE-2015-5676
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I.   Background
+
+The pkg(8) utility is the package management tool for FreeBSD.  The base
+system includes a pkg(7) bootstrap utility used to install the latest pkg(8)
+utility.
+
+II.  Problem Description
+
+When signature_type specified in pkg.conf(5) is set to an unsupported method,
+the pkg(7) bootstrap utility would behave as if signature_type is set to
+"none".
+
+III. Impact
+
+MITM attackers may be able to use this vulnerability and bypass validation,
+installing their own version of pkg(8).
+
+IV.  Workaround
+
+No workaround is available, but the default FreeBSD configuration is not
+affected because it uses "fingerprint" method.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-15:15/pkg.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:15/pkg.patch.asc
+# gpg --verify pkg.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r286936
+releng/9.3/                                                       r287147
+stable/10/                                                        r286935
+releng/10.1/                                                      r287146
+releng/10.2/                                                      r287145
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5676>
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:15.pkg.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.7 (FreeBSD)
+
+iQIcBAEBCgAGBQJV3NfOAAoJEO1n7NZdz2rnzHwP/30xvOZqHSRYMykrkQKcIVH7
+Vhp0lp1z7KaDBq7xD0m08i2WSr0/pSaBU+At141iSKwvCPS0Szx307kZBO9a8gxw
+j7s6Z15qychKKGukJ5tJtKX4Q3mqAtjBoCC8wmwmJ/YNmr4HrZRL2vFp7nqAiyhl
+ntTcSuwEElBoalufeMHWd46eguRO/r9D8uWw+O7a+lLeJO9ThjnNZXOPyMfUE3Yh
+QoFpVcVdf+j6gIGUuPwNsfy4e6hBNvD0T47+PTBECTykiC1eoX+VXqf8PxKKWSOJ
+50sKgXOtRy55dMtWbXhu5zjq4jzWFWtBPIRHM5SH/7V898S7zMerh81bsczBUqEA
+aBu1XJS1fZHlXKlav6/m/G1Wo4QgscBUsV6PhsFNpFmvAdEW2qjnH887FBm7I/Fv
+a3wvxMmQX1ABPbavFCUZmfS4khLFITYD77XLo8ciu/fyAz/X9n9p1F2EsbL8djis
+TcTuyUVv3YXeq+gJ9OcOH4CFsYSNlKEYiAd86/9DBnsiVrQJqNzqx+roHjL7ZXg6
+AA/pqHmOEBq01idYh7PadOf+B5cU5A1CFMhjfpF1qe1yeuFFM30U7ugxjgV4w85O
+UFotAbyDlftUzeYYTQv2bK6oXzqtVagkhB/xXfQzPK9E3AnysfHA/bLysop7AMyZ
+CHeFaGA84VB1k9Ky5nSv
+=a+Ek
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-15:21.amd64.asc

@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:21.amd64                                      Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Local privilege escalation in IRET handler
+
+Category:       core
+Module:         sys_amd64
+Announced:      2015-08-25
+Credits:        Konstantin Belousov, Andrew Lutomirski
+Affects:        FreeBSD 9.3 and FreeBSD 10.1
+Corrected:      2015-03-31 00:59:30 UTC (stable/10, 10.1-STABLE)
+                2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19)
+                2015-03-31 01:08:51 UTC (stable/9, 9.3-STABLE)
+                2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24)
+CVE Name:       CVE-2015-5675
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel
+CPU's.
+
+The GS segment CPU register is used by both user processes and the
+kernel to conveniently access state data: 32-bit user processes use the
+register to manage per-thread data, while the kernel uses it to access
+per-processor data.
+
+The return from interrupt (IRET) instruction returns program control
+from an interrupt handler to the interrupted context.
+
+II.  Problem Description
+
+If the kernel-mode IRET instruction generates an #SS or #NP exception,
+but the exception handler does not properly ensure that the right GS
+register base for kernel is reloaded, the userland GS segment may be
+used in the context of the kernel exception handler.
+
+III. Impact
+
+By causing an IRET with #SS or #NP exceptions, a local attacker can
+cause the kernel to use an arbitrary GS base, which may allow escalated
+privileges or panic the system.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+And reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch.asc
+# gpg --verify amd64.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r280877
+releng/9.3/                                                       r287147
+stable/10/                                                        r280875
+releng/10.1/                                                      r287146
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5675>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:21.amd64.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.7 (FreeBSD)
+
+iQIcBAEBCgAGBQJV3Ne8AAoJEO1n7NZdz2rn5ncQANs2pS8xCowX+BM9LmKTUb2Y
+eqGCvDetXV51/ljAOS10ubc4U0Zn2D5ACyz/DfiLIXVK8vkvlnJXFh3jSK6KIqPH
+ionXa8zMedBoytZL8xIEFSpk9+cYGkGupIYEGu6CCHVZGJ5fVgTlnnazuXd4evbt
+U1/7KNWt2H1R1j0YiYZ0MvhrIF35KqFmLOGf2JmZulqruwq91tYeMlv+7IY6vtPD
+L8n5kTM7pudB3qznXd1PBMj1Y6YVG1O3WL4Stfyj93qDuMbJ+wfnao1ZKMBG0az8
+IJITHrnTI+Xd4i/bbEoSmSN9V80S8uo/6J6JaXjtbrJfEqAMKhLrrcoMA7MHpKJQ
+L4dv2HGL1n7xfOIfj5Qo2io/LUSye5lO54LtEKZfjhzqsTtNQl57BDAYZgbQp2/A
+RsngIq3VrNcIJQK8F1Ba7SNL2+NVd091Wb+Z52837R5/D47jD2BhDia5eH6R5Opv
+6kfzTJujbLi6b9RSn0OT+wAQbQ80qSmD+IwMXwAAg0mukthjTiJpqabpMWvMmfGO
+mhfZBGqmf1Hx4lTczSRMLlRCmjOBc+BKioHT2ciE8QMX0WrHhkRuSBqY3euVTCMB
+9+iU7eJ23tARTbG5wMmBNRsWJzhOKieM0UEsXxso+z8tMMX1Vh/e9ls2qm+ks876
+WYT9/yPSsyU1z/AkHJU7
+=nHGY
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-15:22.openssh.asc

@@ -0,0 +1,161 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:22.openssh                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          OpenSSH multiple vulnerabilities
+
+Category:       contrib
+Module:         openssh
+Announced:      2015-08-25
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-08-25 20:48:44 UTC (stable/10, 10.2-STABLE)
+                2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RC3-p2)
+                2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RELEASE-p2)
+                2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19)
+                2015-08-25 20:48:44 UTC (stable/9, 9.3-STABLE)
+                2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24)
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services,
+including remote shell access.
+
+The PAM (Pluggable Authentication Modules) library provides a flexible
+framework for user authentication and session setup / teardown.
+
+The default FreeBSD OpenSSH configuration has PAM interactive
+authentication enabled.
+
+Privilege separation is a technique in which a program is divided into
+multiple cooperating processes, each with a different task, where each
+process is limited to the specific privileges required to perform that
+specific task, while the privileged parent process acts as an arbiter.
+
+II.  Problem Description
+
+A programming error in the privileged monitor process of the sshd(8)
+service may allow the username of an already-authenticated user to be
+overwritten by the unprivileged child process.
+
+A use-after-free error in the privileged monitor process of he sshd(8)
+service may be deterministically triggered by the actions of a
+compromised unprivileged child process.
+
+A use-after-free error in the session multiplexing code in the sshd(8)
+service may result in unintended termination of the connection.
+
+III. Impact
+
+The first bug may allow a remote attacker who a) has already succeeded
+by other means in compromising the unprivileged pre-authentication
+child process and b) has valid credentials to one user on the target
+system to impersonate a different user.
+
+The second bug may allow a remote attacker who has already succeeded
+by other means in compromising the unprivileged pre-authentication
+child process to bypass PAM authentication entirely.
+
+The third bug is not exploitable, but can cause premature termination
+of a multiplexed ssh connection.
+
+IV.  Workaround
+
+No workaround is available, but systems where ssh(1) and sshd(8) are
+not used are not vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The sshd(8) service has to be restarted after the update.  A reboot
+is recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The sshd(8) service has to be restarted after the update.  A reboot
+is recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:22/openssh.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:22/openssh.patch.asc
+# gpg --verify openssh.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the sshd(8) daemon, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r287144
+releng/9.3/                                                       r287147
+stable/10/                                                        r287144
+releng/10.1/                                                      r287146
+releng/10.2/                                                      r287145
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:22.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.7 (FreeBSD)
+
+iQIcBAEBCgAGBQJV3Ne8AAoJEO1n7NZdz2rnxq8P/jW05a6zT9n78wxBuHwRJ9gx
+7+CN9AsezavW4HmZF4GmWt6SjnJqpLDMwnhceo7po6ZMIxjyWwxBWWfvUwVqezwa
+kT+DS7oHKmeZAwCSFMj9K25NN+x7KAwXXiiANcj4U4iU+q0YrcEGVIBKVqCAn3ly
+pJAkMxdTbwlWR7MaPaTMbMenVOs87b6Xx/4gfSBWolFWz9bKfdTYCxK/AnULVIZq
+Q7lShezEvgyCb8b6QLvnrY4AwHtVduiYxnvNKv8ysbaatZCarkRS8nh68zGcdTBg
+IyzG5OEtUFokVkroJaLWFXL1mUp7tgn9+UNd0/53wFN2DTZKw9oTAkKn8xrbbOSa
+xQqYFhsmqsnKlBJMEMaoK9JgGZZ6xOGo3JZ6yrFfYxiZ9xFaR843rOUe0UVrxh+L
++2DmALTyLWSkeqlcg66oKqYKMQuvUyd6VpPL0yHpB0AqBTjKjUmG9RgG8AT5MpqW
+P3weyD0n7rOCBfagofx8MIy15REwjcQSUptarWrMwhJPua95RJ/IAVIIThGrMzZ5
+PxyWDFU7B/56FRlmX5+6mfi/NC60yIyR6lg0trBtuiiEfNV+HWz6QXOIUMYQvvo9
+w8fXSy6MJ12jTFqm0+CXbx2wWEVxAZS/wtLDsa3nf2oGkO3upzFl0/fvsR1dZ/hl
+plo/3SMPpFFbfvIhy2V/
+=2w70
+-----END PGP SIGNATURE-----