Add SA-15:14 - SA-15:17.

This commit is contained in:
Xin LI 2015-07-28 20:17:10 +00:00
parent 0bacbbe09e
commit a670bd9852
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=47125
19 changed files with 1757 additions and 0 deletions

View file

@ -0,0 +1,134 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:14.bsdpatch Security Advisory
The FreeBSD Project
Topic: shell injection vulnerability in patch(1)
Category: contrib
Module: patch
Announced: 2015-07-28
Credits: Martin Natano
Affects: FreeBSD 10.x.
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
CVE Name: CVE-2015-1416
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The patch(1) utility takes a patch file produced by the diff(1) program and
apply the differences to an original file, producing a patched version.
The patch(1) utility supports certain version control systems, namely SCCS
and RCS, and attempts to get or check out the file before applying a patch,
if the original file do not already exist.
II. Problem Description
Due to insufficient sanitization of the input patch stream, it is possible
for a patch file to cause patch(1) to run commands in addition to the desired
SCCS or RCS commands.
III. Impact
This issue could be exploited to execute arbitrary commands as the user
invoking patch(1) against a specically crafted patch file, which could be
leveraged to obtain elevated privileges.
IV. Workaround
No workaround is available, but systems where a privileged user does not
make use of patches without proper validation are not affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
A reboot is not required after updating.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
A reboot is not required after updating.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch
# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch.asc
# gpg --verify bsdpatch.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r285976
releng/10.1/ r285978
releng/10.2/ r285979
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1416>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:14.bsdpatch.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVt+JfAAoJEO1n7NZdz2rnmAAP/37DmuKX127SHD4Au3a1xy2F
90RP1doqTzpq2w3wzn8JPPK/IUxG6yjDWUk097/aadSMSiUWi/RyTERe68ZNHDia
IkcTnvF1308OM91yAJDogTKyCpomZwWqkhDhT8qRIkRijr7gr0q3SYF2Uqrj+QKy
fvhJrEEjhv9Lgw8I1qmnxWCpcmkKaW2Fm1eqplYlPOIwJky+2+Ddzv5PcjtQTjye
tNIkF9D+ILmGFbotKbNPDKSxapreLOsyDnf0W9QMURi7UolF9AClZnerfVZUWy78
4lJdbC9q5bf/FNUDv2o928hMgG+cc+blaH8AGXGOgxOx3ok0XWp3xEWRJnggyrZX
P6NN39u6yFSIrYaNHEwYLFGCIeA0nGWVLupq5h6WwJ+mhCpHz90kMw/5unlXc/wS
mfFVMeoFiqL227qBgB4azQkiBjN/fVsqPcMv/xk0PNYHaRPS/DASRYPSJF2gXY7h
fjemohKs9wmyc78nyrnayffPQ6hkXvVzw9zMfLJ1XWg/Fa/5X4u/POggivzGI4ia
yrvp3zd4avNbEVwlirTxxYgQJ1X44JwTP3Tkq11fea9WJcJtjLTWpIwrHSd8PHEg
n3r4bo52iPyaGORGUw3Zhx93gOse+I3ayXmBEVJLGDONlEdUf/uju0kSIyCXn4ab
LvnW7evT5KHA0rh5B07E
=JTtx
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,187 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:15.tcp Security Advisory
The FreeBSD Project
Topic: Resource exhaustion in TCP reassembly
Category: core
Module: inet
Announced: 2015-07-28
Credits: Patrick Kelsey (Norse Corporation)
Affects: All supported versions of FreeBSD.
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
CVE Name: CVE-2015-1417
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service.
The underlying simple and potentially unreliable IP datagram
communication protocol may deliver segments out of order, therefore,
the TCP receiver would need to reassemble the segments into their
original sequence to provide a reliable octet stream. Because the
reassembly requires additional resources to keep the queued segments,
historically resource exhaustion in the TCP reassembly path has been
prevented by limiting the total number of segments that could belong
to reassembly queues to a small fraction (1/16) of the total number of
mbuf clusters in the system.
VNET is a technique to virtualize the network stack, first introduced in
FreeBSD 8.0. It changes global resources in the network stack into per
network stack resources, so that a virtual network stack can be attached
to a jailed prison and the prison can have unrestricted access to the
virtual network stack. VNET is not enabled by default and has to be
enabled by recompiling the kernel.
II. Problem Description
There is a mistake with the introduction of VNET, which converted the
global limit on the number of segments that could belong to reassembly
queues into a per-VNET limit. Because mbufs are allocated from a
global pool, in the presence of a sufficient number of VNETs, the
total number of mbufs attached to reassembly queues can grow to the
total number of mbufs in the system, at which point all network
traffic would cease.
III. Impact
An attacker who can establish concurrent TCP connections across a
sufficient number of VNETs and manipulate the inbound packet streams
such that the maximum number of mbufs are enqueued on each reassembly
queue can cause mbuf cluster exhaustion on the target system, resulting
in a Denial of Service condition.
As the default per-VNET limit on the number of segments that can
belong to reassembly queues is 1/16 of the total number of mbuf
clusters in the system, only systems that have 16 or more VNET
instances are vulnerable.
IV. Workaround
FreeBSD 8.x, 9.x and 10.x systems that do not make use of VNETs
(option VIMAGE) are not affected. The support has to be specifically
compiled into a custom kernel, so its use is not common.
For affected systems, the system administrators may consider reducing
the net.inet.tcp.reass.maxsegments tunable to the value of
kern.ipc.nmbclusters divided by one greater than the total number of
VNETs that are going to be used in the system in order to prevent a
Denial of Service via this vulnerability. For example, if there are
16 VNETs in the system, the net.inet.tcp.reass.maxsegments tunable
should be set to kern.ipc.nmbclusters / 17.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
And reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.2]
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch.asc
# gpg --verify tcp.patch.asc
[FreeBSD 9.3 and 10.1]
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch.asc
# gpg --verify tcp-9.3-10.1.patch.asc
[FreeBSD 8.4]
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch.asc
# gpg --verify tcp-8.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r285977
releng/8.4/ r285980
stable/9/ r285977
releng/9.3/ r285980
stable/10/ r285976
releng/10.1/ r285979
releng/10.2/ r285978
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1417>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:15.tcp.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVt+FcAAoJEO1n7NZdz2rnOAgQAKw0jR1Eb/USmcXlFpfMrmUr
Z6UWHsPqE9CwDJaFddrFBRyjCsbeBv4LmPyVcOKJoqspEb8P52GtBNDe9vqcco1U
C+KpcQQKWTQmu170AdLAIRVvLjoNEX0C09ig4XMbKpisrmQ8zLXavTbTw8FlbPXq
o9t0nFgPKsDfaXJF3Oas41K/NsBj4hdqnfx+R7KeOaJ6sSwiFGbRxqQ+GG3k+79a
RI+KVLpw4QV/IkhXKzl416o6uk7eWnJu72GohdrxPvXYWHBVSBkSiT7pLl3O5C7r
7+dpYyF9f4K0gnXLuATNixNS2/lL2WaJANb75ku7WnY2I5Yjx1oM2r5kE2eJ6Z/c
WXGnDE9/8SOVURqMwnpQgzVGopKZags0+X7FJAYKeW4/nWyUEAmDlQ+9dY7o/I0M
urFD+bsSxnrlGLLzjX55zKM1qyGlhNokowSusVeNlSEOl8/QV57CuyQDZ0wdAiUd
R2yl+fFxRKn4AeCMuKkEsoExLhISI7Uuz8Hjia7g0yJWfYjEjAWLcFpan/QmhwcP
4PMg+2ZuPC0uUoXqCMBqu3d0NAaae4cOCzx8WCZUaaF3DwhRnUcld+XesV/h3SNo
kn3ygFyOVWrCd7bSsEd00qqUwUN/cp/uYTqlbI9im89Emaa7/mYR/i3sq2/MRagr
2oio8OdZ8wwRuER4Jpq9
=PC1V
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,188 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:16.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH multiple vulnerabilities
Category: contrib
Module: openssh
Announced: 2015-07-28
Affects: All supported versions of FreeBSD.
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
CVE Name: CVE-2014-2653, CVE-2015-5600
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remote shell access.
The security of the SSH connection relies on the server authenticating
itself to the client as well as the user authenticating itself to the
server. SSH servers uses host keys to verify their identity.
RFC 4255 has defined a method of verifying SSH host keys using Domain
Name System Security (DNSSEC), by publishing the key fingerprint using
DNS with "SSHFP" resource record. RFC 6187 has defined methods to use
a signature by a trusted certification authority to bind a given public
key to a given digital identity with X.509v3 certificates.
The PAM (Pluggable Authentication Modules) library provides a flexible
framework for user authentication and session setup / teardown.
OpenSSH uses PAM for password authentication by default.
II. Problem Description
OpenSSH clients does not correctly verify DNS SSHFP records when a server
offers a certificate. [CVE-2014-2653]
OpenSSH servers which are configured to allow password authentication
using PAM (default) would allow many password attempts.
III. Impact
A malicious server may be able to force a connecting client to skip DNS
SSHFP record check and require the user to perform manual host verification
of the host key fingerprint. This could allow man-in-the-middle attack
if the user does not carefully check the fingerprint. [CVE-2014-2653]
A remote attacker may effectively bypass MaxAuthTries settings, which would
enable them to brute force passwords. [CVE-2015-5600]
IV. Workaround
Systems that do not use OpenSSH are not affected.
There is no workaround for CVE-2014-2653, but the problem only affects
networks where DNSsec and SSHFP is properly configured. Users who uses
SSH should always check server host key fingerprints carefully when
prompted.
System administrators can set:
UsePAM no
In their /etc/ssh/sshd_config and restart sshd service to workaround the
problem described as CVE-2015-5600 at expense of losing features provided
by the PAM framework.
We recommend system administrators to disable password based authentication
completely, and use key based authentication exclusively in their SSH server
configuration, when possible. This would eliminate the possibility of being
ever exposed to password brute force attack.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
SSH service has to be restarted after the update. A reboot is recommended
but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
SSH service has to be restarted after the update. A reboot is recommended
but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.3, 10.1, 10.2]
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc
# gpg --verify openssh.patch.asc
[FreeBSD 8.4]
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc
# gpg --verify openssh-8.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the SSH service, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r285977
releng/8.4/ r285980
stable/9/ r285977
releng/9.3/ r285980
stable/10/ r285976
releng/10.1/ r285979
releng/10.2/ r285978
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnPxEQAIFMhBzUuAEEeG3GoO6o6DQn
7ZVPdd+EdijDk0VAZbaa3NyeVGTNSEQhjpL/lSkIQUQT+yEAUUsUCVWu0T8OpCN0
UT6JlYhV+AwQVyWujlTjspQ3Ba3Kn3o76MCzvdIQWPTzD1yCZqRmpZ1eSjonmySZ
ts+kVDCV2ZJyWACOdG2GXHSmTraIErn0J1YaLg++c8nHUvb+TNo2/8viBGJINhdP
bvA6fzYPpAzgaq5EEKevySLUnUfUE2Nx5LGD2CUx/hMu7K8y2h4SR2fKmpyBauNS
4VHSssX6KjxZCYctCEsUgCokWYzt9fepyBsCiS9Vx4mTwat8Vuiz2zB1lCOwM97v
iDbkcmR/ixElrXSBb5+wrhOpBLnYtHFTNPx8dRz39wdb1MxJQqyOOb8KtDSlFMmQ
l5Lk1vTEcZQjWvmCV9XjVlPqcHnX4wNnV+IgUnQTnhQlbe0YgszdLAi5XZDGBmtA
DHuLfBy1091KYBoP641GRuldsq6/r6DUzyZuQJ+p30BDUEfkUAptIEnQWA2l3Y8W
/10eels29WJhV9N7WWo4pbADA54+DLvi0T/46R9WRbM9bA/dsqK9G5wmREaKCqmX
ccQUFrruxJTn7TV4QbN69ABEkOFCyQjqecP2GqA2N/5AAUsV47WC/VtKgOPp4FZ6
E0SkAoNzIighyNk54U9p
=6PBw
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,139 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:17.bind Security Advisory
The FreeBSD Project
Topic: BIND remote denial of service vulnerability
Category: contrib
Module: bind
Announced: 2015-07-28
Credits: ISC
Affects: FreeBSD 8.x and FreeBSD 9.x.
Corrected: 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
CVE Name: CVE-2015-5477
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
An error in the handling of TKEY queries can be exploited by an attacker
for use as a denial-of-service vector, as a constructed packet can use
the defect to trigger a REQUIRE assertion failure, causing BIND to exit.
III. Impact
A remote attacker can trigger a crash of a name server. Both recursive and
authoritative servers are affected, and the exposure can not be mitigated
by either ACLs or configuration options limiting or denying service because
the exploitable code occurs early in the packet handling, before checks
enforcing those boundaries.
IV. Workaround
No workaround is available, but systems that are not running BIND are not
vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The named service has to be restarted after the update. A reboot is
recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The named service has to be restarted after the update. A reboot is
recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch
# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch.asc
# gpg --verify bind.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r285977
releng/8.4/ r285980
stable/9/ r285977
releng/9.3/ r285980
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://kb.isc.org/article/AA-01272>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:17.bind.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnmAQQAK66bHEYirTecgswG+eiePfU
lcX46GdLU/OQ/3MHpmc6XQKz9kpJ+Inh8K8IvAJ1SXH41zk/xOtUgqbkUcgkGrS1
gBVKUC8SF82ll/1FUlORoJc+g+TQgax00Il/GweRVoL0RpU9S/YSnc6OLc0nWzBq
osweYaHBNRL6lBmUtAHYu1tyvGvHLlfTNk6NCtUxtWeXKe+urYFx4ViJKCU8dJ+U
F26nQb/3vH93WOEaNjSDHYWypl9qtous5hpOtXr76ofhID67EyOKmPPEC5+6jP/6
wkdMu7loVewI5K7ZF+zaNxr8CQESurCRkMX3qJSBNCfSw55sdcfKl4BO65SCxLH7
vXoh+B+Wbof2n3xAcEJNufOdiRQfTxlP1UMWIy00wvdB+VcOCDdD7TUB1kksxzpy
aXxePRdKLjvkPDiWy17BBpxq8JIfy+41a+N7Fm/hDgUJOYGDAMr27WJLx8MHzY3k
+B014IVvTnHkf0yo5ue5raTpgUr0TVCfwD3eqJOM9iUuOI8vj9h44FpP6R8KNyQA
mVI/wikVJfYAgmAkHqqRVEHeA8aWJsVNkmrKLHFDkLDdw6umr7oOHfXQo1hk7k7V
+2JEa09kp2AYNGYZkiFG/7jiCZ9GLCvAzKW1v1g8fRsBl+QA1PjW0Rg7HcRmZiwM
VfNsARSWl2y/t8Gnrfgx
=40iD
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,188 @@
Index: usr.bin/patch/common.h
===================================================================
--- usr.bin/patch/common.h (revision 285926)
+++ usr.bin/patch/common.h (working copy)
@@ -43,12 +43,10 @@
#define LINENUM_MAX LONG_MAX
#define SCCSPREFIX "s."
-#define GET "get -e %s"
-#define SCCSDIFF "get -p %s | diff - %s >/dev/null"
#define RCSSUFFIX ",v"
-#define CHECKOUT "co -l %s"
-#define RCSDIFF "rcsdiff %s > /dev/null"
+#define CHECKOUT "/usr/bin/co"
+#define RCSDIFF "/usr/bin/rcsdiff"
#define ORIGEXT ".orig"
#define REJEXT ".rej"
Index: usr.bin/patch/inp.c
===================================================================
--- usr.bin/patch/inp.c (revision 285926)
+++ usr.bin/patch/inp.c (working copy)
@@ -31,8 +31,10 @@
#include <sys/file.h>
#include <sys/stat.h>
#include <sys/mman.h>
+#include <sys/wait.h>
#include <ctype.h>
+#include <errno.h>
#include <libgen.h>
#include <stddef.h>
#include <stdint.h>
@@ -133,12 +135,14 @@ reallocate_lines(size_t *lines_allocated)
static bool
plan_a(const char *filename)
{
- int ifd, statfailed;
+ int ifd, statfailed, devnull, pstat;
char *p, *s, lbuf[INITLINELEN];
struct stat filestat;
ptrdiff_t sz;
size_t i;
size_t iline, lines_allocated;
+ pid_t pid;
+ char *argp[4] = {NULL};
#ifdef DEBUGGING
if (debug & 8)
@@ -166,13 +170,14 @@ plan_a(const char *filename)
}
if (statfailed && check_only)
fatal("%s not found, -C mode, can't probe further\n", filename);
- /* For nonexistent or read-only files, look for RCS or SCCS versions. */
+ /* For nonexistent or read-only files, look for RCS versions. */
+
if (statfailed ||
/* No one can write to it. */
(filestat.st_mode & 0222) == 0 ||
/* I can't write to it. */
((filestat.st_mode & 0022) == 0 && filestat.st_uid != getuid())) {
- const char *cs = NULL, *filebase, *filedir;
+ char *filebase, *filedir;
struct stat cstat;
char *tmp_filename1, *tmp_filename2;
@@ -180,43 +185,26 @@ plan_a(const char *filename)
tmp_filename2 = strdup(filename);
if (tmp_filename1 == NULL || tmp_filename2 == NULL)
fatal("strdupping filename");
+
filebase = basename(tmp_filename1);
filedir = dirname(tmp_filename2);
- /* Leave room in lbuf for the diff command. */
- s = lbuf + 20;
-
#define try(f, a1, a2, a3) \
- (snprintf(s, buf_size - 20, f, a1, a2, a3), stat(s, &cstat) == 0)
+ (snprintf(lbuf, sizeof(lbuf), f, a1, a2, a3), stat(lbuf, &cstat) == 0)
- if (try("%s/RCS/%s%s", filedir, filebase, RCSSUFFIX) ||
- try("%s/RCS/%s%s", filedir, filebase, "") ||
- try("%s/%s%s", filedir, filebase, RCSSUFFIX)) {
- snprintf(buf, buf_size, CHECKOUT, filename);
- snprintf(lbuf, sizeof lbuf, RCSDIFF, filename);
- cs = "RCS";
- } else if (try("%s/SCCS/%s%s", filedir, SCCSPREFIX, filebase) ||
- try("%s/%s%s", filedir, SCCSPREFIX, filebase)) {
- snprintf(buf, buf_size, GET, s);
- snprintf(lbuf, sizeof lbuf, SCCSDIFF, s, filename);
- cs = "SCCS";
- } else if (statfailed)
- fatal("can't find %s\n", filename);
-
- free(tmp_filename1);
- free(tmp_filename2);
-
/*
* else we can't write to it but it's not under a version
* control system, so just proceed.
*/
- if (cs) {
+ if (try("%s/RCS/%s%s", filedir, filebase, RCSSUFFIX) ||
+ try("%s/RCS/%s%s", filedir, filebase, "") ||
+ try("%s/%s%s", filedir, filebase, RCSSUFFIX)) {
if (!statfailed) {
if ((filestat.st_mode & 0222) != 0)
/* The owner can write to it. */
fatal("file %s seems to be locked "
- "by somebody else under %s\n",
- filename, cs);
+ "by somebody else under RCS\n",
+ filename);
/*
* It might be checked out unlocked. See if
* it's safe to check out the default version
@@ -224,21 +212,59 @@ plan_a(const char *filename)
*/
if (verbose)
say("Comparing file %s to default "
- "%s version...\n",
- filename, cs);
- if (system(lbuf))
+ "RCS version...\n", filename);
+
+ switch (pid = fork()) {
+ case -1:
+ fatal("can't fork: %s\n",
+ strerror(errno));
+ case 0:
+ devnull = open("/dev/null", O_RDONLY);
+ if (devnull == -1) {
+ fatal("can't open /dev/null: %s",
+ strerror(errno));
+ }
+ (void)dup2(devnull, STDOUT_FILENO);
+ argp[0] = strdup(RCSDIFF);
+ argp[1] = strdup(filename);
+ execv(RCSDIFF, argp);
+ exit(127);
+ }
+ pid = waitpid(pid, &pstat, 0);
+ if (pid == -1 || WEXITSTATUS(pstat) != 0) {
fatal("can't check out file %s: "
- "differs from default %s version\n",
- filename, cs);
+ "differs from default RCS version\n",
+ filename);
+ }
}
+
if (verbose)
- say("Checking out file %s from %s...\n",
- filename, cs);
- if (system(buf) || stat(filename, &filestat))
- fatal("can't check out file %s from %s\n",
- filename, cs);
+ say("Checking out file %s from RCS...\n",
+ filename);
+
+ switch (pid = fork()) {
+ case -1:
+ fatal("can't fork: %s\n", strerror(errno));
+ case 0:
+ argp[0] = strdup(CHECKOUT);
+ argp[1] = strdup("-l");
+ argp[2] = strdup(filename);
+ execv(CHECKOUT, argp);
+ exit(127);
+ }
+ pid = waitpid(pid, &pstat, 0);
+ if (pid == -1 || WEXITSTATUS(pstat) != 0 ||
+ stat(filename, &filestat)) {
+ fatal("can't check out file %s from RCS\n",
+ filename);
+ }
+ } else if (statfailed) {
+ fatal("can't find %s\n", filename);
}
+ free(tmp_filename1);
+ free(tmp_filename2);
}
+
filemode = filestat.st_mode;
if (!S_ISREG(filemode))
fatal("%s is not a normal file--can't patch\n", filename);

View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rno1wP/1dqyumvREi7i84Ab2ew+X+x
YNbhqkhP/Q0+uwF68nbV1StAyuPZ85fSTy//19W0L3YU31vkZgz2B5N6Vl1Walpx
UGk/6LGm2U8xzRRSOgThSthbUbXI4cAAjxmAuUkgd5br9g8KZo+h9LQNKpv+6Caa
OCsTKZMwA81ImiOODCvJ9FQy7hQVBSQhssCVEZScU7aR+86FRhNy0a6tHX1Y8dkk
LLhOJprZgG6JHR9fr+g0fCSjerYWKml4QlgpbXy/Fp3mIYfsnf8K9MaKa3KBLjOZ
AoggAB/tNA+e9imXy8En/J5aZqMwhjDZNrWHACaDXB9kMrNEE8Nwp3gFMgpURGWf
NFd8x+5SDv6yG+1xM1X/ywP9mVDQqySactLnGoEF77ANNEFVat9KafbPESckiqa7
qw83IaO5/9P/IaZik+19SzOsJ9sZGRaco70HfAZA9r/SD+SLc+4U1PAdY0QxGdB6
n7Ap088KK/GfiIF4ra5AqNDFquEWTPdkVqb+55Lv7eKgg1/S0rm7Ou7Z/lbBQerw
QIJzcem/KDcPJxM3tkxumqMdzggwUCPtrxB6vDEjLMKSN/33I2iYD47UhP+rFjw5
cdnrrqVgw0zt+p5vAubJJegk+aVWfy7QRcHaQb/FA5MYkOVKQP69lboa7PX4M+Pn
EjipG4vadjqdZaYzuBhF
=fzsn
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,203 @@
Index: sys/netinet/tcp_reass.c
===================================================================
--- sys/netinet/tcp_reass.c (revision 285923)
+++ sys/netinet/tcp_reass.c (working copy)
@@ -80,29 +80,25 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
"TCP Segment Reassembly Queue");
-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)
+static int tcp_reass_maxseg = 0;
SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, maxsegments,
CTLTYPE_INT | CTLFLAG_RDTUN,
- &VNET_NAME(tcp_reass_maxseg), 0, &tcp_reass_sysctl_maxseg, "I",
+ &tcp_reass_maxseg, 0, &tcp_reass_sysctl_maxseg, "I",
"Global maximum number of TCP Segments in Reassembly Queue");
-static VNET_DEFINE(int, tcp_reass_qsize) = 0;
-#define V_tcp_reass_qsize VNET(tcp_reass_qsize)
-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
+static int tcp_reass_qsize = 0;
+SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
CTLTYPE_INT | CTLFLAG_RD,
- &VNET_NAME(tcp_reass_qsize), 0, &tcp_reass_sysctl_qsize, "I",
+ &tcp_reass_qsize, 0, &tcp_reass_sysctl_qsize, "I",
"Global number of TCP Segments currently in Reassembly Queue");
-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
+static int tcp_reass_overflows = 0;
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
CTLTYPE_INT | CTLFLAG_RD,
- &VNET_NAME(tcp_reass_overflows), 0,
+ &tcp_reass_overflows, 0,
"Global number of TCP Segment Reassembly Queue Overflows");
-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
-#define V_tcp_reass_zone VNET(tcp_reass_zone)
+static uma_zone_t tcp_reass_zone;
/* Initialize TCP reassembly queue */
static void
@@ -109,34 +105,25 @@ static void
tcp_reass_zone_change(void *tag)
{
- V_tcp_reass_maxseg = nmbclusters / 16;
- uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg);
+ tcp_reass_maxseg = nmbclusters / 16;
+ uma_zone_set_max(tcp_reass_zone, tcp_reass_maxseg);
}
void
-tcp_reass_init(void)
+tcp_reass_global_init(void)
{
- V_tcp_reass_maxseg = nmbclusters / 16;
+ tcp_reass_maxseg = nmbclusters / 16;
TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
- &V_tcp_reass_maxseg);
- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
+ &tcp_reass_maxseg);
+ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
- uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg);
+ uma_zone_set_max(tcp_reass_zone, tcp_reass_maxseg);
EVENTHANDLER_REGISTER(nmbclusters_change,
tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
}
-#ifdef VIMAGE
void
-tcp_reass_destroy(void)
-{
-
- uma_zdestroy(V_tcp_reass_zone);
-}
-#endif
-
-void
tcp_reass_flush(struct tcpcb *tp)
{
struct tseg_qent *qe;
@@ -146,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
LIST_REMOVE(qe, tqe_q);
m_freem(qe->tqe_m);
- uma_zfree(V_tcp_reass_zone, qe);
+ uma_zfree(tcp_reass_zone, qe);
tp->t_segqlen--;
}
@@ -158,7 +145,7 @@ tcp_reass_flush(struct tcpcb *tp)
static int
tcp_reass_sysctl_maxseg(SYSCTL_HANDLER_ARGS)
{
- V_tcp_reass_maxseg = uma_zone_get_max(V_tcp_reass_zone);
+ tcp_reass_maxseg = uma_zone_get_max(tcp_reass_zone);
return (sysctl_handle_int(oidp, arg1, arg2, req));
}
@@ -165,7 +152,7 @@ tcp_reass_sysctl_maxseg(SYSCTL_HANDLER_ARGS)
static int
tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
{
- V_tcp_reass_qsize = uma_zone_get_cur(V_tcp_reass_zone);
+ tcp_reass_qsize = uma_zone_get_cur(tcp_reass_zone);
return (sysctl_handle_int(oidp, arg1, arg2, req));
}
@@ -213,7 +200,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
*/
if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
- V_tcp_reass_overflows++;
+ tcp_reass_overflows++;
TCPSTAT_INC(tcps_rcvmemdrop);
m_freem(m);
*tlenp = 0;
@@ -232,7 +219,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
* Use a temporary structure on the stack for the missing segment
* when the zone is exhausted. Otherwise we may get stuck.
*/
- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
+ te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
if (te == NULL) {
if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
TCPSTAT_INC(tcps_rcvmemdrop);
@@ -283,7 +270,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
m_freem(m);
if (te != &tqs)
- uma_zfree(V_tcp_reass_zone, te);
+ uma_zfree(tcp_reass_zone, te);
tp->t_segqlen--;
/*
* Try to present any queued data
@@ -320,7 +307,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
nq = LIST_NEXT(q, tqe_q);
LIST_REMOVE(q, tqe_q);
m_freem(q->tqe_m);
- uma_zfree(V_tcp_reass_zone, q);
+ uma_zfree(tcp_reass_zone, q);
tp->t_segqlen--;
q = nq;
}
@@ -359,7 +346,7 @@ present:
else
sbappendstream_locked(&so->so_rcv, q->tqe_m);
if (q != &tqs)
- uma_zfree(V_tcp_reass_zone, q);
+ uma_zfree(tcp_reass_zone, q);
tp->t_segqlen--;
q = nq;
} while (q && q->tqe_th->th_seq == tp->rcv_nxt);
Index: sys/netinet/tcp_subr.c
===================================================================
--- sys/netinet/tcp_subr.c (revision 285923)
+++ sys/netinet/tcp_subr.c (working copy)
@@ -375,7 +375,6 @@ tcp_init(void)
tcp_tw_init();
syncache_init();
tcp_hc_init();
- tcp_reass_init();
TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
@@ -385,6 +384,8 @@ tcp_init(void)
if (!IS_DEFAULT_VNET(curvnet))
return;
+ tcp_reass_global_init();
+
/* XXX virtualize those bellow? */
tcp_delacktime = TCPTV_DELACK;
tcp_keepinit = TCPTV_KEEP_INIT;
@@ -424,7 +425,6 @@ void
tcp_destroy(void)
{
- tcp_reass_destroy();
tcp_hc_destroy();
syncache_destroy();
tcp_tw_destroy();
Index: sys/netinet/tcp_var.h
===================================================================
--- sys/netinet/tcp_var.h (revision 285923)
+++ sys/netinet/tcp_var.h (working copy)
@@ -653,11 +653,8 @@ char *tcp_log_addrs(struct in_conninfo *, struct
char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
const void *);
int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
-void tcp_reass_init(void);
+void tcp_reass_global_init(void);
void tcp_reass_flush(struct tcpcb *);
-#ifdef VIMAGE
-void tcp_reass_destroy(void);
-#endif
void tcp_input(struct mbuf *, int);
u_long tcp_maxmtu(struct in_conninfo *, int *);
u_long tcp_maxmtu6(struct in_conninfo *, int *);

View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rn4a0QAJNILy1kqMl42ffd2sO4NOmy
hHJ18P1zAEFb2Q5HdbQOVnY8ssJWlbXK8kf0S0m/gw+xQ+SXnz6JtLDIqxhM/4kP
r+s3ae3hVOLoNf0oz9Qdpbv/eZcfqfZSTFxiPXZC8J1pRH7qE7pH6jybfTHpNczg
7NrtgmK2poMgOrIkDUoUK8Xb5Pjg2Pfz07nEYuESA6yVUrlEk8izZq9HFos2eOff
gpfwjVr1zm5s8rIX/YP0oUKBcsdUlgk6zF6JCnOhO5cysy0rzMcz+HBMo0CigDS/
kmeQu59JpHVY4E//LGvNTXAVqOSEnERdSSZqcc7sZaqyEfJXRSYrrnq/57c9YnVm
qc/Q9D0kvEQhwzQgGJUG6OmKG3fkBTT44+rwlzB3TVBNXNoZNeY7uoOi/OyPu4JT
ejZse+Qq7X/f5oZT2CNScHkW/jLYBnFGwHGmyg5AZUf0evN8GvO6Z1yMxmnUzBqE
6J3oO6re/8I7L78PqTjXGh36rK6a2MZF/J5t24JilSvLgyhZx4VNDDHgv87KqCdA
fSMKaoyn6UwvVR/j1XP3ACcukBLjuFjsgH25Q97ESgijnte050DgabOBmsBawwVb
MCAZdSw3iczhCE9nrpNehX5zdnw9XYy70HJN8hVVfGjdyjzJazEkC8a+U+teHrTp
v3p8ijYPt0dRz8siZusT
=ETv1
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,194 @@
Index: sys/netinet/tcp_reass.c
===================================================================
--- sys/netinet/tcp_reass.c (revision 285923)
+++ sys/netinet/tcp_reass.c (working copy)
@@ -79,25 +79,22 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
"TCP Segment Reassembly Queue");
-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
- &VNET_NAME(tcp_reass_maxseg), 0,
+static int tcp_reass_maxseg = 0;
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
+ &tcp_reass_maxseg, 0,
"Global maximum number of TCP Segments in Reassembly Queue");
-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
+SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
(CTLTYPE_INT | CTLFLAG_RD), NULL, 0, &tcp_reass_sysctl_qsize, "I",
"Global number of TCP Segments currently in Reassembly Queue");
-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
+static int tcp_reass_overflows = 0;
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
CTLTYPE_INT | CTLFLAG_RD,
- &VNET_NAME(tcp_reass_overflows), 0,
+ &tcp_reass_overflows, 0,
"Global number of TCP Segment Reassembly Queue Overflows");
-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
-#define V_tcp_reass_zone VNET(tcp_reass_zone)
+static uma_zone_t tcp_reass_zone;
/* Initialize TCP reassembly queue */
static void
@@ -105,37 +102,28 @@ tcp_reass_zone_change(void *tag)
{
/* Set the zone limit and read back the effective value. */
- V_tcp_reass_maxseg = nmbclusters / 16;
- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
- V_tcp_reass_maxseg);
+ tcp_reass_maxseg = nmbclusters / 16;
+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
+ tcp_reass_maxseg);
}
void
-tcp_reass_init(void)
+tcp_reass_global_init(void)
{
- V_tcp_reass_maxseg = nmbclusters / 16;
+ tcp_reass_maxseg = nmbclusters / 16;
TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
- &V_tcp_reass_maxseg);
- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
+ &tcp_reass_maxseg);
+ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
/* Set the zone limit and read back the effective value. */
- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
- V_tcp_reass_maxseg);
+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
+ tcp_reass_maxseg);
EVENTHANDLER_REGISTER(nmbclusters_change,
tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
}
-#ifdef VIMAGE
void
-tcp_reass_destroy(void)
-{
-
- uma_zdestroy(V_tcp_reass_zone);
-}
-#endif
-
-void
tcp_reass_flush(struct tcpcb *tp)
{
struct tseg_qent *qe;
@@ -145,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
LIST_REMOVE(qe, tqe_q);
m_freem(qe->tqe_m);
- uma_zfree(V_tcp_reass_zone, qe);
+ uma_zfree(tcp_reass_zone, qe);
tp->t_segqlen--;
}
@@ -159,7 +147,7 @@ tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
{
int qsize;
- qsize = uma_zone_get_cur(V_tcp_reass_zone);
+ qsize = uma_zone_get_cur(tcp_reass_zone);
return (sysctl_handle_int(oidp, &qsize, 0, req));
}
@@ -207,7 +195,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
*/
if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
- V_tcp_reass_overflows++;
+ tcp_reass_overflows++;
TCPSTAT_INC(tcps_rcvmemdrop);
m_freem(m);
*tlenp = 0;
@@ -226,7 +214,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
* Use a temporary structure on the stack for the missing segment
* when the zone is exhausted. Otherwise we may get stuck.
*/
- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
+ te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
if (te == NULL) {
if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
TCPSTAT_INC(tcps_rcvmemdrop);
@@ -277,7 +265,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
m_freem(m);
if (te != &tqs)
- uma_zfree(V_tcp_reass_zone, te);
+ uma_zfree(tcp_reass_zone, te);
tp->t_segqlen--;
/*
* Try to present any queued data
@@ -314,7 +302,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
nq = LIST_NEXT(q, tqe_q);
LIST_REMOVE(q, tqe_q);
m_freem(q->tqe_m);
- uma_zfree(V_tcp_reass_zone, q);
+ uma_zfree(tcp_reass_zone, q);
tp->t_segqlen--;
q = nq;
}
@@ -353,7 +341,7 @@ present:
else
sbappendstream_locked(&so->so_rcv, q->tqe_m);
if (q != &tqs)
- uma_zfree(V_tcp_reass_zone, q);
+ uma_zfree(tcp_reass_zone, q);
tp->t_segqlen--;
q = nq;
} while (q && q->tqe_th->th_seq == tp->rcv_nxt);
Index: sys/netinet/tcp_subr.c
===================================================================
--- sys/netinet/tcp_subr.c (revision 285923)
+++ sys/netinet/tcp_subr.c (working copy)
@@ -375,7 +375,6 @@ tcp_init(void)
tcp_tw_init();
syncache_init();
tcp_hc_init();
- tcp_reass_init();
TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
@@ -385,6 +384,8 @@ tcp_init(void)
if (!IS_DEFAULT_VNET(curvnet))
return;
+ tcp_reass_global_init();
+
/* XXX virtualize those bellow? */
tcp_delacktime = TCPTV_DELACK;
tcp_keepinit = TCPTV_KEEP_INIT;
@@ -432,7 +433,6 @@ void
tcp_destroy(void)
{
- tcp_reass_destroy();
tcp_hc_destroy();
syncache_destroy();
tcp_tw_destroy();
Index: sys/netinet/tcp_var.h
===================================================================
--- sys/netinet/tcp_var.h (revision 285923)
+++ sys/netinet/tcp_var.h (working copy)
@@ -666,11 +666,8 @@ char *tcp_log_addrs(struct in_conninfo *, struct t
char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
const void *);
int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
-void tcp_reass_init(void);
+void tcp_reass_global_init(void);
void tcp_reass_flush(struct tcpcb *);
-#ifdef VIMAGE
-void tcp_reass_destroy(void);
-#endif
void tcp_input(struct mbuf *, int);
u_long tcp_maxmtu(struct in_conninfo *, struct tcp_ifcap *);
u_long tcp_maxmtu6(struct in_conninfo *, struct tcp_ifcap *);

View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rn4MsP/1RRuWMRR2G2slK+cuaUhzHI
Zmr11d2Wf3MfnV4gyS36bei8RKUSlg1HpPoztjheMerfFuK+vV+thkysakKdAAkC
P5p5rqZSoQZ4rLjFFQwDkM0tm5CZQeVMiosz2KGHzEHUF/RVKeQ3tuOFWrEIyUdq
DzHsrS67CBW7KQzoauN/7p+RDtepajSgRPMcsIZ6SyMqhHCX/3ugSXANnexJw5It
YBbImj3PnIsMsKNvPLFx8zAvJxM4aEIhUfiJfpYlVXEVeSyIoxMRmrjDcrW8zrU9
1c1qx4s0nRRsnv7qKK79W4XES4ebppNUbtFk6wdJKdt1kzMvEAFNm0P5Li86aTTn
hksIS3DW3zcFFgMCHl6levunXKBv/Jot7DP8sfYGbxMRHbAI/Gs+QnxzLEPFeU7I
1BGrrVbE3f+sRgDirblhfVQdUsjTNQN7UzEs1Da4jTnfqKiE9o+cLe9uoXoRNLjJ
tnI/lK/XFh7fAczIaloOzClwid63W8cVe7SRIYFa2edAGzcnR4+AK+ZFFVadxUJ1
kQiO12nfnDFA00/FYrgm8jfwL4luINUrq9iQQCoSH6FJZ8H/W2jgZd/s6VCAd/bN
lwDok1Mn1r3Mkr8MAnh7XhAHWUFdEjXljPkcRTCOj4+NRmfpalLBnMroH12ofzl4
1C+wnnPtqXm2GysW0U/K
=KVcG
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,194 @@
Index: sys/netinet/tcp_reass.c
===================================================================
--- sys/netinet/tcp_reass.c (revision 285923)
+++ sys/netinet/tcp_reass.c (working copy)
@@ -79,25 +79,22 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
"TCP Segment Reassembly Queue");
-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
- &VNET_NAME(tcp_reass_maxseg), 0,
+static int tcp_reass_maxseg = 0;
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
+ &tcp_reass_maxseg, 0,
"Global maximum number of TCP Segments in Reassembly Queue");
-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
+SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
(CTLTYPE_INT | CTLFLAG_RD), NULL, 0, &tcp_reass_sysctl_qsize, "I",
"Global number of TCP Segments currently in Reassembly Queue");
-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
+static int tcp_reass_overflows = 0;
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
CTLFLAG_RD,
- &VNET_NAME(tcp_reass_overflows), 0,
+ &tcp_reass_overflows, 0,
"Global number of TCP Segment Reassembly Queue Overflows");
-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
-#define V_tcp_reass_zone VNET(tcp_reass_zone)
+static uma_zone_t tcp_reass_zone;
/* Initialize TCP reassembly queue */
static void
@@ -105,37 +102,28 @@ tcp_reass_zone_change(void *tag)
{
/* Set the zone limit and read back the effective value. */
- V_tcp_reass_maxseg = nmbclusters / 16;
- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
- V_tcp_reass_maxseg);
+ tcp_reass_maxseg = nmbclusters / 16;
+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
+ tcp_reass_maxseg);
}
void
-tcp_reass_init(void)
+tcp_reass_global_init(void)
{
- V_tcp_reass_maxseg = nmbclusters / 16;
+ tcp_reass_maxseg = nmbclusters / 16;
TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
- &V_tcp_reass_maxseg);
- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
+ &tcp_reass_maxseg);
+ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
/* Set the zone limit and read back the effective value. */
- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
- V_tcp_reass_maxseg);
+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
+ tcp_reass_maxseg);
EVENTHANDLER_REGISTER(nmbclusters_change,
tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
}
-#ifdef VIMAGE
void
-tcp_reass_destroy(void)
-{
-
- uma_zdestroy(V_tcp_reass_zone);
-}
-#endif
-
-void
tcp_reass_flush(struct tcpcb *tp)
{
struct tseg_qent *qe;
@@ -145,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
LIST_REMOVE(qe, tqe_q);
m_freem(qe->tqe_m);
- uma_zfree(V_tcp_reass_zone, qe);
+ uma_zfree(tcp_reass_zone, qe);
tp->t_segqlen--;
}
@@ -159,7 +147,7 @@ tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
{
int qsize;
- qsize = uma_zone_get_cur(V_tcp_reass_zone);
+ qsize = uma_zone_get_cur(tcp_reass_zone);
return (sysctl_handle_int(oidp, &qsize, 0, req));
}
@@ -207,7 +195,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
*/
if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
- V_tcp_reass_overflows++;
+ tcp_reass_overflows++;
TCPSTAT_INC(tcps_rcvmemdrop);
m_freem(m);
*tlenp = 0;
@@ -226,7 +214,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
* Use a temporary structure on the stack for the missing segment
* when the zone is exhausted. Otherwise we may get stuck.
*/
- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
+ te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
if (te == NULL) {
if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
TCPSTAT_INC(tcps_rcvmemdrop);
@@ -277,7 +265,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
m_freem(m);
if (te != &tqs)
- uma_zfree(V_tcp_reass_zone, te);
+ uma_zfree(tcp_reass_zone, te);
tp->t_segqlen--;
/*
* Try to present any queued data
@@ -314,7 +302,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
nq = LIST_NEXT(q, tqe_q);
LIST_REMOVE(q, tqe_q);
m_freem(q->tqe_m);
- uma_zfree(V_tcp_reass_zone, q);
+ uma_zfree(tcp_reass_zone, q);
tp->t_segqlen--;
q = nq;
}
@@ -353,7 +341,7 @@ present:
else
sbappendstream_locked(&so->so_rcv, q->tqe_m);
if (q != &tqs)
- uma_zfree(V_tcp_reass_zone, q);
+ uma_zfree(tcp_reass_zone, q);
tp->t_segqlen--;
q = nq;
} while (q && q->tqe_th->th_seq == tp->rcv_nxt);
Index: sys/netinet/tcp_subr.c
===================================================================
--- sys/netinet/tcp_subr.c (revision 285923)
+++ sys/netinet/tcp_subr.c (working copy)
@@ -376,7 +376,6 @@ tcp_init(void)
tcp_tw_init();
syncache_init();
tcp_hc_init();
- tcp_reass_init();
TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
@@ -386,6 +385,8 @@ tcp_init(void)
if (!IS_DEFAULT_VNET(curvnet))
return;
+ tcp_reass_global_init();
+
/* XXX virtualize those bellow? */
tcp_delacktime = TCPTV_DELACK;
tcp_keepinit = TCPTV_KEEP_INIT;
@@ -433,7 +434,6 @@ void
tcp_destroy(void)
{
- tcp_reass_destroy();
tcp_hc_destroy();
syncache_destroy();
tcp_tw_destroy();
Index: sys/netinet/tcp_var.h
===================================================================
--- sys/netinet/tcp_var.h (revision 285923)
+++ sys/netinet/tcp_var.h (working copy)
@@ -679,11 +679,8 @@ char *tcp_log_addrs(struct in_conninfo *, struct t
char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
const void *);
int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
-void tcp_reass_init(void);
+void tcp_reass_global_init(void);
void tcp_reass_flush(struct tcpcb *);
-#ifdef VIMAGE
-void tcp_reass_destroy(void);
-#endif
void tcp_input(struct mbuf *, int);
u_long tcp_maxmtu(struct in_conninfo *, struct tcp_ifcap *);
u_long tcp_maxmtu6(struct in_conninfo *, struct tcp_ifcap *);

View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rnao8P/jUT5a0o9qZ9PjyVQCaMYGpz
y7HZylgcfVMxLGipVqS0H9vwoF7EgGwHSPn5U3YT3LxXJ5ptuGrDUfOHy5vtm6eT
AEDGKrR22sd7Thz+U821jlTKo9PLQr51bBwUjRhs4FHuAbCNX8A+Enjdb7Fo1oox
1AJBLbnvcZAwfRdURAtj864Mx81lQ58+AC1tKW4vlagd75tsoew7MEjPrW1ObTSy
Pl7R9SV8EnTianAyuoMZSQaGgA9kkPuG8e21+PhfQG9+enP3D2Sgad4VWfcV8KAd
CwyJDJ7Tu8mY7FvYmd0XZr5GfM634FGV9M/wGnDXslSZgFNSt83IULmnKIuKNnjJ
p3Map3//tZchR4/DT04q5fxcX1rWiGN+RbjYzHtttfr8i/h1rRq7BK2BWn1oM4h0
AzMKR4N1AEaa1huTZoucuaPWZ4P+6pMUm1uSd0SuJkhZuF2Lj/BlD+SlSANEYAjr
ajWh5hjTordmV/HXaNIcwZDIn5EN9pVm4UHcPD4x5z5eQ3r2w2kssfKusNWa5EUL
Hqh+PuNS00e2Opp6cF+tBUF+1zJyOYEWSMlYmYDG/J+MhlRWmOr5FobGCa7dUHYt
KvgkHmef/5Z45mTFIiD5jygNYNuxs3L0xUXFxd+2XlXPu9fKfXHtaV7aS1VozIpR
rSHM3bqswflAY+A0FHK1
=kwzI
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,89 @@
Index: crypto/openssh/auth2-chall.c
===================================================================
--- crypto/openssh/auth2-chall.c (revision 285923)
+++ crypto/openssh/auth2-chall.c (working copy)
@@ -82,6 +82,7 @@ struct KbdintAuthctxt
void *ctxt;
KbdintDevice *device;
u_int nreq;
+ u_int devices_done;
};
#ifdef USE_PAM
@@ -169,9 +170,14 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt)
if (len == 0)
break;
- for (i = 0; devices[i]; i++)
- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+ for (i = 0; devices[i]; i++) {
+ if ((kbdintctxt->devices_done & (1 << i)) != 0)
+ continue;
+ if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) {
kbdintctxt->device = devices[i];
+ kbdintctxt->devices_done |= 1 << i;
+ }
+ }
t = kbdintctxt->devices;
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
xfree(t);
Index: crypto/openssh/sshconnect.c
===================================================================
--- crypto/openssh/sshconnect.c (revision 285923)
+++ crypto/openssh/sshconnect.c (working copy)
@@ -1141,29 +1141,39 @@ verify_host_key(char *host, struct sockaddr *hosta
{
int flags = 0;
char *fp;
+ Key *plain = NULL;
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
debug("Server host key: %s %s", key_type(host_key), fp);
xfree(fp);
- /* XXX certs are not yet supported for DNS */
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
- if (flags & DNS_VERIFY_FOUND) {
-
- if (options.verify_host_key_dns == 1 &&
- flags & DNS_VERIFY_MATCH &&
- flags & DNS_VERIFY_SECURE)
- return 0;
-
- if (flags & DNS_VERIFY_MATCH) {
- matching_host_key_dns = 1;
- } else {
- warn_changed_key(host_key);
- error("Update the SSHFP RR in DNS with the new "
- "host key to get rid of this message.");
+ if (options.verify_host_key_dns) {
+ /*
+ * XXX certs are not yet supported for DNS, so downgrade
+ * them and try the plain key.
+ */
+ plain = key_from_private(host_key);
+ if (key_is_cert(plain))
+ key_drop_cert(plain);
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
+ if (flags & DNS_VERIFY_FOUND) {
+ if (options.verify_host_key_dns == 1 &&
+ flags & DNS_VERIFY_MATCH &&
+ flags & DNS_VERIFY_SECURE) {
+ key_free(plain);
+ return 0;
+ }
+ if (flags & DNS_VERIFY_MATCH) {
+ matching_host_key_dns = 1;
+ } else {
+ warn_changed_key(plain);
+ error("Update the SSHFP RR in DNS "
+ "with the new host key to get rid "
+ "of this message.");
+ }
}
}
+ key_free(plain);
}
return check_host_key(host, hostaddr, options.port, host_key, RDRW,

View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAABCgAGBQJVt+FxAAoJEO1n7NZdz2rnH7cP/2bAQDMzE4S6t+gt28nd7aSh
GquAc96zD52sDz+IKyOBqQA9wsrHDnoaVQjQpavhx2qxsf+rsEvEejtvX1zdtH5o
DfNz5kArYTgw5F/MuvgXBAgwEZqPamRZdi96KuL8gGCu0nFlTx7S/jayyickPrsk
S03hXfDSZsFUi6bGHo+lMK0aaunZ26wSRuVU7Pb0JjtUiGgsM/YDy9uW2STTzGMl
E8iyjHUM8gfM7q/xmFXFIxWC3L5IkurjvCGd7RXltyagHRPxzj1N6NYu4jXQgogZ
yr9N2lDSZZaS3yoextvpR9lg+J2qDysgMEbsR0GPG1fsc/po8YuPvpT1cak8Vtk8
fQVs4MJMMwMfUW2QwIBnjNqA0V8unHCtd5ViDOnpHM7g+enHqCXNWxhidKSasZi/
0+RwFnyYi+JZs2aSpmAJdeQXuPKcNkXg8fhiU/SaRo7jFWwfgHhfj600b/To+l2J
0h6U5RmXi0RAJiibm6NqgJ/q7/lJTDNGyauM22AAWd47m75/2aO5uH0k4nZRaLbd
yi69978sXpw15jflP674lFOjVWMDZf2hZcNr2E8TJsriuYSymX0FcA/zSQ/3NhaR
1AqutoKu2zpqk5diXEKdov+rJ+kaEp0S+0tRxSWNh4eRORlt8ORvvtTS4UgaJHZg
yGBXrZcEks5bxpFSI2ys
=NdGQ
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,90 @@
Index: crypto/openssh/auth2-chall.c
===================================================================
--- crypto/openssh/auth2-chall.c (revision 285923)
+++ crypto/openssh/auth2-chall.c (working copy)
@@ -82,6 +82,7 @@ struct KbdintAuthctxt
void *ctxt;
KbdintDevice *device;
u_int nreq;
+ u_int devices_done;
};
#ifdef USE_PAM
@@ -168,11 +169,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthc
if (len == 0)
break;
for (i = 0; devices[i]; i++) {
- if (!auth2_method_allowed(authctxt,
+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
+ !auth2_method_allowed(authctxt,
"keyboard-interactive", devices[i]->name))
continue;
- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+ if (strncmp(kbdintctxt->devices, devices[i]->name,
+ len) == 0) {
kbdintctxt->device = devices[i];
+ kbdintctxt->devices_done |= 1 << i;
+ }
}
t = kbdintctxt->devices;
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
Index: crypto/openssh/sshconnect.c
===================================================================
--- crypto/openssh/sshconnect.c (revision 285923)
+++ crypto/openssh/sshconnect.c (working copy)
@@ -1247,29 +1247,39 @@ verify_host_key(char *host, struct sockaddr *hosta
{
int flags = 0;
char *fp;
+ Key *plain = NULL;
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
debug("Server host key: %s %s", key_type(host_key), fp);
free(fp);
- /* XXX certs are not yet supported for DNS */
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
- if (flags & DNS_VERIFY_FOUND) {
-
- if (options.verify_host_key_dns == 1 &&
- flags & DNS_VERIFY_MATCH &&
- flags & DNS_VERIFY_SECURE)
- return 0;
-
- if (flags & DNS_VERIFY_MATCH) {
- matching_host_key_dns = 1;
- } else {
- warn_changed_key(host_key);
- error("Update the SSHFP RR in DNS with the new "
- "host key to get rid of this message.");
+ if (options.verify_host_key_dns) {
+ /*
+ * XXX certs are not yet supported for DNS, so downgrade
+ * them and try the plain key.
+ */
+ plain = key_from_private(host_key);
+ if (key_is_cert(plain))
+ key_drop_cert(plain);
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
+ if (flags & DNS_VERIFY_FOUND) {
+ if (options.verify_host_key_dns == 1 &&
+ flags & DNS_VERIFY_MATCH &&
+ flags & DNS_VERIFY_SECURE) {
+ key_free(plain);
+ return 0;
+ }
+ if (flags & DNS_VERIFY_MATCH) {
+ matching_host_key_dns = 1;
+ } else {
+ warn_changed_key(plain);
+ error("Update the SSHFP RR in DNS "
+ "with the new host key to get rid "
+ "of this message.");
+ }
}
}
+ key_free(plain);
}
return check_host_key(host, hostaddr, options.port, host_key, RDRW,

View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAABCgAGBQJVt+FxAAoJEO1n7NZdz2rn2NkP/RBSyWex/lwblNKDYQpEu2jZ
Gc+opzaFAVfWHrlKNhcQDb9haoeuLo7+lJwIS/e1CvtV0opT2AKR/RFLtsYGOAmp
ydLPigTkw2kfEH/gyDiRxfFcqZ5UzlKIQGPre1/FE2HNjYHOUSnJp+K+cPJ81cJQ
bYICXuSvnhhpasak/3CwHKGgGKv7YyrE1pGfE79e52M404484VkW1dCqfE+URRr0
fiDIchhHFKjNM/Ycgr5iyZmisBgtupLC/aIHJzBE+h/tCUjApSTJMyroUB6P70lx
zeRPVEgcMJQi2K9MPXvuK78Ko4MjqrhVc05ufaqb0aEbBFMBGDyuFf8s5yHiluhK
YU047m2bbjDny7DJPrqEyg0X7vRCcHXjw0gBju1P3D2lpLdL+t5VX9VEvh0pfnDi
u7uXZGejhm4Nr5GsNZoNAiLL7wScOS6MVB52Fy0HPL1TqUcCddiyw+rc2rmj4VbH
ZwlHs4ecMeNyPYGmXvt7Kg4fZ3T19S8EypjrUdKqZbgI+0keNu77QD7/llEck9nu
ArM/386qrUX+F6V74PpSMNpjN49fMccKqPnImUyrc7EofeTinIfT5Z9Rw+K1xw+D
QkZtKhQXENNG3FeBWg11jvWywGkfj+4arlxDyfx04SwVYMHlTwMVj37NNaRrUjJ9
/1HdVB06GZS5dA5thOzB
=d3dY
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,12 @@
Index: contrib/bind9/lib/dns/tkey.c
===================================================================
--- contrib/bind9/lib/dns/tkey.c (revision 285922)
+++ contrib/bind9/lib/dns/tkey.c (working copy)
@@ -650,6 +650,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey
* Try the answer section, since that's where Win2000
* puts it.
*/
+ name = NULL;
if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_tkey, 0, &name,
&tkeyset) != ISC_R_SUCCESS) {

View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAABCgAGBQJVt+FxAAoJEO1n7NZdz2rnse8P/2/topHY/AW0sJmsMFGDcCQl
6nYAyoriO354QXif99lFSMVjY6PeI35N8gLb9560Pcv2RBvyv55Bk9wPsCLIAzId
KZKmIlgw14kT5n1usyLoMRPbXcn37sKi3xdLOGIrGBP9d8VaCvRWUxC9Qh3pg4fQ
9dGsbso+5BI15/lqATI5xawu8lljHufwM46BUXpWqK63xyqBAsVNHbOoj+fhneNI
Bw14K6x1qOQNuv4Ri/39TWp5UCfPrhwZ2qpsIEp9oT7Jgvvs16ErqbY7UoxnD4pF
Jo4DCH2lZjesSlz05w9iam/PkQed5ltYvCK0rdyTfhjqB/Px6zd0xUvy40Pg+w5G
VY25+LSSJMtkQe88TbOW+SzcopPYwUZ88CgExoUPyn5Cd7Sv5GsNCAmoXhFA/0Of
BRT9h9KFD9VE1juAnlgB2Hp1MkBlfoqG2/ytomctvUjFLKRUGLmvkFTgshNqYgD1
6NDYri4sqDEHeKMhVvVVqTPciCg8kwAX2h1sLBca8fbXsyanzvEieM5RrxJdyaeH
856lhb2fnRECUdWA9vKModtqI3mUF76tP6/4GI7GdxaCmWWCRpPsJY7eubNEKqVX
jNT20ymBkchl/GAPshedz+xG7yGdO54wE14dwV9lgFLlup41w83DKQH4vm0DS+q/
GCgaLCun78PU/GjzYQh7
=uz3V
-----END PGP SIGNATURE-----

View file

@ -10,6 +10,26 @@
<month>
<name>7</name>
<day>
<name>28</name>
<advisory>
<name>FreeBSD-SA-15:17.bind</name>
</advisory>
<advisory>
<name>FreeBSD-SA-15:16.openssh</name>
</advisory>
<advisory>
<name>FreeBSD-SA-15:15.tcp</name>
</advisory>
<advisory>
<name>FreeBSD-SA-15:14.bsdpatch</name>
</advisory>
</day>
<day>
<name>21</name>